#openstack-meeting-alt log

17:00:46 <hyakuhei> #startmeeting openstack security group
17:00:47 <openstack> Meeting started Thu Aug  7 17:00:46 2014 UTC and is due to finish in 60 minutes.  The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:48 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:50 <openstack> The meeting name has been set to 'openstack_security_group'
17:01:03 <hyakuhei> Hey everybody!
17:01:09 <tkelsey> Hey
17:01:11 <michaelxin> hey, all
17:01:12 <tmcpeak> HOLA
17:01:12 * sicarie waves
17:01:13 <tmcpeak> :P
17:01:42 <tkelsey> Im on foot FYI
17:01:57 <tmcpeak> on foot?
17:02:07 <hyakuhei> on phone IRC?
17:02:10 <hyakuhei> crazy
17:02:19 <tkelsey> Walking yup :-)
17:02:23 <tmcpeak> oh cool, kids these days
17:02:43 <hyakuhei> I know right!
17:02:48 <tkelsey> Its all the rage
17:02:55 <hyakuhei> ok, so what do people want to discuss today?
17:03:09 <tmcpeak> gmurphy or I can mention the Horizon XSS walkthrough idea
17:03:17 <bknudson> hi
17:03:22 <hyakuhei> hey bknudson
17:03:27 <hyakuhei> sounds good tmcpeak
17:03:30 <hyakuhei> what else?
17:03:47 <bdpayne> can anyone provide an update on the stevedore work?
17:03:50 <tmcpeak> did anybody look at stevedore?
17:03:56 <bdpayne> ;-)
17:03:58 <tmcpeak> I just started picking through the docs last night
17:04:00 <michaelxin> read the docs
17:04:11 <michaelxin> started looking at the code
17:04:11 <tmcpeak> I've been UTG trying to tie up some ends
17:05:13 <tmcpeak> so I guess for stevedore we'll postpone until next week so we can all finish going through it?
17:05:23 <michaelxin> sounds like a plan
17:05:33 <hyakuhei> +1
17:05:41 <tmcpeak> cool
17:06:04 <bknudson> what's being done with stevedore? security audit? threat analysis?
17:06:15 <hyakuhei> #topic stevedore
17:06:23 <michaelxin> nothing
17:06:30 <tmcpeak> bnkudson: I think we're starting with reading through the code
17:06:30 <michaelxin> plan to do code review
17:06:34 <tmcpeak> bknudson even
17:06:35 <hyakuhei> #link https://github.com/openstack/stevedore
17:06:43 <tmcpeak> bknudson: to get an idea of how it works/ what it does
17:06:53 <tmcpeak> then threat modeling would probably be a solid approach IMO
17:07:00 <bknudson> dhellmann is probably the expert there
17:07:07 <tmcpeak> bdpayne: where did this come from btw?
17:07:36 <bdpayne> hey
17:07:43 <bdpayne> so this was a request from the glance community
17:07:48 <bdpayne> they will be using stevedore soon
17:07:50 <hyakuhei> Lots of teams seem to be moving to it, bdpayne pointed out we should get involved :)
17:07:56 <hyakuhei> ah, you're here :D
17:07:59 <bdpayne> and they recognized that it has some potential for negative security impact
17:07:59 <bknudson> I thought you were wondering where stevedore came from
17:08:00 <tmcpeak> ahh ok cool
17:08:10 <tmcpeak> no not itself, but the request to look at it
17:08:13 <michaelxin> it is a library for loading code dynamically easy.
17:08:19 <tmcpeak> it does seem like it may be ripe for some good sploits
17:08:21 <bdpayne> so, it's a code review to understand if they are doing things right from a security perspective
17:08:43 <bknudson> #link http://stevedore.readthedocs.org/en/latest/
17:08:44 <bknudson> docs
17:08:57 <hyakuhei> ty
17:09:02 <bdpayne> I believe other openstack projects either are using it, or will be using it soon
17:09:09 <bdpayne> so it has broader impact too
17:09:14 <hyakuhei> ok so the tl:dr; is people are looking into it but no results yet ?
17:09:16 <bknudson> we had a proposal for keystone to use it
17:09:22 <tmcpeak> hyakuhei: +1
17:09:47 <bdpayne> cool, I'm glad that some of you have starting pushing ahead with looking at it
17:09:53 <bdpayne> looking forward to hearing what you find
17:09:55 <tkelsey> Barbican uses ut
17:09:59 <tkelsey> It
17:10:21 <michaelxin> nice to know. Thanks.
17:10:21 <tmcpeak> yeah, I've actually seen it all over the place, just was wondering about where the idea to look at it from a security perspective came from
17:10:35 <bknudson> #link https://review.openstack.org/#/c/89419/
17:10:43 <bknudson> there's the keystone change that was abandoned
17:10:50 <bknudson> so it's an example of how to enable it
17:10:57 <hyakuhei> anything going through Barbican needs some extra level of inspection...
17:11:05 <tmcpeak> bknudson: +1
17:11:11 <gmurphy> probably make sure you keep some notes or a record of the audit / review if you can.
17:11:22 <michaelxin> +1
17:11:24 <gmurphy> will help with things become security supported by the vmt etc
17:11:25 <tmcpeak> gmurphy: oh good, you're here
17:11:47 <bknudson> where would these notes go? seems like the obvious place is stevedore docs
17:11:55 <gmurphy> yep. sorry if i'm late.
17:12:13 <tmcpeak> gmurphy: no, you're good, just wasn't sure if the alarm would do it :)
17:12:23 <michaelxin> can we use google docs or wiki page to track the progress
17:12:25 <hyakuhei> cool ok lets move along :)
17:12:35 <hyakuhei> Welcome gmurphy - crazy timezone for you....
17:12:43 <hyakuhei> #topic XSS shenanigans
17:12:49 <hyakuhei> tmcpeak gmurphy you're up
17:12:54 <tmcpeak> gmurphy: wanna take it?
17:12:58 <tmcpeak> or I can, whichever you want
17:13:05 <gmurphy> you're welcome to.
17:13:10 <tmcpeak> ok cool
17:13:12 <gmurphy> i just wanted to raise the issue
17:13:24 <tmcpeak> gmurphy had the good idea that we've been seeing a lot of XSS in Horizon still
17:13:51 <tmcpeak> to prevent the same mistake from happening over and over it probably makes sense to have a strategy
17:14:03 <tmcpeak> so the idea is to do some code review for Horizon
17:14:03 <hyakuhei> But it's django right - that's an awesomely secure framework....
17:14:14 <michaelxin> Did we ever have a complete assessment on Horizon before?
17:14:17 <tmcpeak> yeah, Django is solid gold
17:14:33 <hyakuhei> So there's pretty good "don't do this" guidance for django already
17:14:37 <tmcpeak> michaelxin: not that I'm aware of, but I'm n00b
17:14:45 <hyakuhei> including lots on how to avoid XSS etc
17:14:57 <bknudson> XSS is really a subset of "escaping for formatted documents" and "trusting input"
17:15:06 <tmcpeak> so Django itself may be solid, but the Horizon implementation clearly still leaves something to be desired
17:15:26 <hyakuhei> So perhaps a first step is to take the issues that have been identified and review the django docs to see if horizon devs are simply ignoring django best practice
17:15:28 <bknudson> so we've got the same problem elsewhere... e.g., if we're generating URLs or XML docs.
17:15:46 <michaelxin> sounds good
17:15:50 <tmcpeak> hyakuhei: +1
17:16:07 <tkelsey> +1
17:16:23 <hyakuhei> ok great - so anyone feel they have enough time to take that as an action?
17:16:24 <michaelxin> automation will be the king
17:16:50 <michaelxin> I mean in the future :-)
17:16:56 <bknudson> michaelxin: what kind of automation?
17:16:56 <gmurphy> that's the other thing. i guess is there a way we can get a web app scanner into CI?
17:16:58 <tmcpeak> I'll finish my work on stevedore first
17:17:36 <tmcpeak> yeah, the offer has been floated for free access to Qualys
17:17:38 <gmurphy> and look at the delta of the warnings / logs etc?
17:17:43 <hyakuhei> gmurphy: Yeah we are working on using HP Fortify WebInspect for something along those lines
17:17:49 <michaelxin> once we identify the pattern, we might be able to write some scripts to automatically check for the problems.
17:17:58 <hyakuhei> Yes
17:18:14 <hyakuhei> in many cases they've either disabled escaping or their missing appropriate decorators
17:18:19 <hyakuhei> I would imagine
17:18:20 <bknudson> IBM also has a web application scanner
17:19:02 <hyakuhei> Ok, so what's the action here and who wants to take it?
17:19:22 <bknudson> #link https://review.openstack.org/#/c/105476/
17:19:23 <tmcpeak> well one could be looking at the process for how to get a web app scanner into the gate for Horizon
17:19:37 <bknudson> there's the horizon change to fix XSS issues
17:19:54 <tmcpeak> one is poking through the recently reported issues and classifying them
17:20:01 <michaelxin> I can use our appscan to test Horizon
17:20:05 <bknudson> looks like you need to explicitly escape rather than unescape.
17:20:07 <bknudson> seems like a bug
17:21:06 <hyakuhei> ok, so I don't have bandiwdth to take these actions, if we don't have a volunteer this week we'll log it and try again next week
17:22:07 <gmurphy> i can probably take a look at horizon
17:22:13 <sicarie> I'll take something, but it'll probably be slow going
17:22:20 <gmurphy> same
17:22:30 <michaelxin> I can look at scanner for Horizon
17:23:01 <michaelxin> I have a cloud server running devstack and AppScan ready.
17:23:02 <gmurphy> so i also need to follow up with qualys
17:23:33 <hyakuhei> #action gmurphy to look into horizon XSS scanning
17:23:58 <hyakuhei> sicarie: fancy documenting the current vulns in Horizon and the root causes?
17:24:05 <sicarie> Sure!
17:24:25 <hyakuhei> #action sicarie to document the root causes of existing Horizon vulnerabilities
17:24:46 <hyakuhei> ok cool
17:24:52 <hyakuhei> dg___: you here?
17:25:12 <gmurphy> sicarie - http://openstack-security.info/ ctrl+f XSS wil probably help :-)
17:25:15 <dg___> hey
17:25:18 <hyakuhei> #topic OSSN-022
17:25:18 <michaelxin> gmurphy: I can help if needed
17:25:21 <sicarie> gmurphy: thanks!
17:25:31 <hyakuhei> Right, dg___ what is the review id for the OSSN?
17:25:45 <dg___> https://review.openstack.org/#/c/108349
17:26:02 <gmurphy> michaelxin - ok. should we setup an etherpad / google docs to keep notes?
17:26:17 <hyakuhei> #link https://review.openstack.org/#/c/108349
17:26:18 <dg___> but I cant submit the latest changes I discussed with nkinder, for some resason git review -s has no effect
17:26:38 <hyakuhei> ok - I want agreement on this OSSN so we can get it published
17:26:51 <hyakuhei> Can you guys take a second to read the latest copy with comments please?
17:27:10 <tmcpeak> sure
17:27:11 <dg___> sure, i can skype it over ot you and you can submit it if you want?
17:27:40 <hyakuhei> The comment?
17:28:22 <dg___> that latest revision, nkinder and I agreed on comments, so I made the changes as discussed, but I cant submit it to gerrit
17:28:37 <hyakuhei> ok, so the latest revision is here: http://pastebin.com/tYU08QBr
17:28:59 <hyakuhei> I'd like to know how people find it regarding clarity?
17:29:30 <tmcpeak> cool, what's the best way to provide feedback on it?
17:29:40 <bdpayne_> I kind of feel like we are starting to bike shed on this one.  It seems fine, imho.
17:29:53 <tmcpeak> what's bike shed?
17:29:59 <hyakuhei> I'm just looking for a general consensus
17:30:17 <michaelxin> looks fine to me
17:30:18 <bdpayne_> http://en.wiktionary.org/wiki/bikeshedding
17:30:19 <dg___> bdpayne +1
17:30:28 <hyakuhei> tmcpeak: too many cooks
17:30:36 <tmcpeak> ahh
17:30:44 <tmcpeak> you learn something new every day
17:30:51 <bknudson> my opinion is it's clear and complete as is
17:31:08 <hyakuhei> Ok so I have no problem with the latest iteration, dg___ maybe you can fix your git and submit it?
17:31:52 <dg___> hyakuhei kk
17:31:57 <tmcpeak> yeah this looks good
17:32:02 <hyakuhei> ok cool
17:32:09 <hyakuhei> thanks dg___
17:32:11 <dg___> as an aside - anyone know how to fix git?
17:32:19 <hyakuhei> #topic Any Other Business
17:32:29 <dg___> yep - swift token timeouts
17:32:31 <tmcpeak> if there's anybody who does, it's nkinder, he's the git oracle
17:32:33 <bknudson> the only thing that it might help to clarify is that the "Recommended Actions" could say this only applies pre-icehouse.
17:32:52 <bdpayne_> dg___ feel free to PM me about git
17:33:01 <dg___> bdpayne thanks
17:33:12 <bdpayne_> Re other business, I added a new OSSN http://en.wiktionary.org/wiki/bikeshedding
17:33:17 <bdpayne_> um, scratch that link
17:33:19 <bdpayne_> one sec
17:33:20 <tmcpeak> lol
17:33:22 <hyakuhei> heh
17:33:22 <dg___> hahaha
17:33:25 <bdpayne_> https://bugs.launchpad.net/keystone/+bug/1348844
17:33:26 <uvirtbot> Launchpad bug 1348844 in ossn "Keystone logs auth tokens in URLs at log level info" [Undecided,New]
17:33:27 <bdpayne_> :-)
17:33:37 <hyakuhei> Dear OpenStack - Y SO MUCH BIKESHEDDING? Thanks the OSSG.
17:33:48 <tmcpeak> LMAO
17:33:51 <hyakuhei> #link https://bugs.launchpad.net/keystone/+bug/1348844
17:34:13 <hyakuhei> bdpayne_: looks like a good candidate
17:34:18 <hyakuhei> They not backfixing it I guess?
17:34:37 <bdpayne_> requires an api change
17:34:43 <bdpayne_> and already fixed in v3 api
17:34:50 <bdpayne_> so they don't plan to fix it
17:35:01 <bknudson> if someone wants to fix it I don't think it would be blocked.
17:35:13 <tmcpeak> bdpayne_: yeah, this looks good for an OSSN
17:36:00 <hyakuhei> bknudson: That's not how this is supposed to work, either it can be fixed and an OSSA gets issued, or it cant be fixed in previous versions and we issue an OSSN ...
17:36:29 <hyakuhei> as the VMT doesn't issue OSSA's for issues that aren't fixed in supported versions
17:36:29 <bknudson> I can't think of a reason why this couldn't be fixed.
17:36:43 <hyakuhei> Which seems like the most OSSA worthy issue of all...
17:36:47 <bknudson> I can think of reasons why we wouldn't bother.
17:37:55 <hyakuhei> Ok well lets see if someone picks that up off the queue this week
17:38:00 <hyakuhei> Anything else?
17:38:08 <dg___> swift token timeouts
17:38:12 <hyakuhei> oh yeah
17:38:18 <hyakuhei> go ahead dg___
17:39:01 <dg___> tokens are cached for 10 minutes, so if a token is revoked, you can have access for up to 10 minutes
17:39:18 <bknudson> dg___: is this in auth_token middleware or something else?
17:39:22 <dg___> I'm not sure if this is a swift feature, or a feature of our config - was wondering if anyone else had come across it?
17:40:00 <dg___> bknudson i think so, I havent dug into the code to trace it through
17:40:31 <bknudson> auth_token middleware has a config option for how long to cache tokens: http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token.py#n279
17:40:49 <bknudson> and how long to cache the revocation list revocation_cache_time
17:41:09 <dg___> thanks, I'll take a look
17:41:12 <michaelxin> -1 to disable it
17:41:21 <bknudson> we added a feature somewhat recently to check the revocation list for cached time: http://git.openstack.org/cgit/openstack/keystonemiddleware/tree/keystonemiddleware/auth_token.py#n321
17:41:31 <bknudson> check_revocations_for_cached
17:41:44 <bknudson> so you can shorten the cache time for the token
17:41:51 <dg___> gotcha
17:42:03 <bknudson> you can enable check_revocations_for_cached and shorten the revocation_cache_time
17:42:07 <bknudson> if that's more efficient
17:42:17 <dg___> thats what i was about to ask!
17:42:32 <dg___> that would make sense, thanks bknudson
17:42:55 <bknudson> setting check_revocations_for_cached requires setting up pki on the keystone server even if you're using UUID tokens
17:43:16 <bknudson> because the revocation list is cms encrypted for some reason
17:43:41 <dg___> ok
17:43:46 <bknudson> all this assumes that swift is using auth_token middleware... I only tried this with nova
17:44:08 <dg___> lol I will talk to the swift folks, assuming it is, this seems like a smart way to handle it
17:44:51 <hyakuhei> ok cool, thanks bknudson dg___
17:45:00 <hyakuhei> Anything else?
17:45:05 <dg___> thanks
17:45:06 <sriramhere> you all, make sure bay area ppl attend the meetup organized by Bryan and Preeti
17:45:26 <bknudson> did we have some docs for what encryption algorithms are used in different components?
17:45:33 <sriramhere> http://www.meetup.com/Cloud-Platform-at-Symantec/events/199393922/?a=ea1_grp&rv=ea1&_af_eid=199393922&_af=event
17:45:35 <tmcpeak> sriramhere: +1, that will be a good regular meetup spot for us
17:45:52 <sriramhere> :)
17:46:03 <notmyname> dg___: swift is using the auth_token middleware for keystone
17:46:09 <bdpayne_> oh yeah that, thanks sriramhere
17:46:16 <bdpayne_> :-)
17:46:33 <bdpayne_> bknudson we do, on the wiki
17:46:36 <dg___> thanks notmyname
17:46:55 <michaelxin> cool. thanks.
17:47:34 <bdpayne_> bknudson https://wiki.openstack.org/wiki/Security/Juno
17:48:08 <bknudson> bdpayne_: thanks for the link
17:48:35 <bknudson> I've got a team here where I've asked them to do a crypto audit...
17:48:49 <bdpayne_> oh great
17:48:51 <bknudson> if it goes well I'll see if I can get these pages updated.
17:48:56 <bdpayne_> this is on my short(ish) list too
17:49:02 <bdpayne_> I would love to see those get filled out
17:50:13 <hyakuhei> That would be really good
17:50:45 <hyakuhei> ok, I think we are good to wrap here.
17:51:03 <hyakuhei> Thanks everyone - got a few good actions down!
17:51:10 <sriramhere> thanks!
17:51:13 <michaelxin> thanks.
17:51:13 <hyakuhei> #endmeeting