17:01:17 #startmeeting OpenStack Security Group 17:01:17 Meeting started Thu Jan 8 17:01:17 2015 UTC and is due to finish in 60 minutes. The chair is hyakuhei. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:01:18 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:01:20 The meeting name has been set to 'openstack_security_group' 17:01:21 yo! 17:01:25 hi 17:01:27 hi 17:01:28 o/ 17:01:30 howdy 17:01:32 Hey! 17:01:35 hello 17:01:42 hi 17:01:47 hello 17:02:01 Good turnout today, a few new people too by the looks? 17:02:09 new here 17:02:10 seems to be 17:02:12 introductions? 17:02:25 hi dlambrig_ welcome 17:02:32 hi all 17:02:39 That would be appropriate :) New guys introduce yourselves? 17:02:56 Hi All - Im Dan from Red Hat, I am interested in intrusion detection in openstack 17:03:09 awesome 17:03:10 * singlethink is Matthew Van Gundy ... I'm a Tech Lead in Cisco's Advanced Security Initiatives Group 17:03:21 Hey Dan, thanks for swinging by, you’ll find plenty of people here interested in that too 17:03:26 cool 17:03:40 Advanced security initiatives! We definitely need some of them, welcome singlethink 17:03:40 singlethink: what kind of stuff are you guys looking at? 17:04:06 We are where the buck stops for making sure that our products have as few security issues as possible... 17:04:15 awesome! 17:04:17 existing members should reintroduce themselves too.. :) 17:04:20 we can barely get basic security initiatives. 17:04:28 I've just been granted approval to participate so we're probably going to start with hardening recommendations and the like 17:04:37 and move on from there 17:04:38 sounds good 17:04:42 chair6... is it new years resolution :P 17:04:49 * bdpayne arrives fashionably late 17:04:50 hi all 17:04:51 superb, very similar to what we’ve been doing (the HP’ers here) 17:04:56 Hey bdpayne, nkinder 17:04:58 Greetings 17:05:13 ukbelch: Hey, have you introduced yourself to the people here ? 17:05:38 I don't believe I have. I'm new to the HP Cloud security team, and have lurked the last few meetings to get a feel for the place. 17:05:47 for new people, we typically are hanging out in #openstack-security too 17:06:02 cool, thanks. 17:06:11 great 17:06:19 Cool so lets work out an agenda then! 17:06:26 # OSSG Meetup 17:06:27 meetup, Bandit 17:06:30 # Bandit 17:06:32 Anyway, my name is Dave Belcher, and I'm a hacker. It has been 16 hours since my last hack. 17:06:41 haha 17:06:44 lol nice 17:06:47 # Anchor 17:06:54 # Security initiatives in General 17:06:56 Anything else? 17:07:05 i've got an update on the sahara sec. doc 17:07:07 Notes? 17:07:21 elmiko: Great 17:07:27 # Sahara security 17:07:42 nkinder: Is there much to say about OSSNs ? 17:07:46 bdpayne: How about docs? 17:07:53 docs, sure 17:08:05 # OpenStack Security Guide / Documentation 17:08:16 hyakuhei: not a lot about OSSNs right now really 17:08:36 Ok that’s cool, lets get rolling then 17:08:42 #topic OSSG Meetup 17:08:48 Who doesn’t know about this already? 17:09:51 #link https://etherpad.openstack.org/p/ossg-kilo-meetup 17:09:52 https://etherpad.openstack.org/p/ossg-kilo-meetup 17:10:00 lol beat me to it 17:10:04 Ok so great, did you all get my email over the holidays? 17:10:21 nope 17:10:23 which option was chosen? 17:10:26 We’re now confirmed for the first date, at San Francisco Geekdom - sorry nkinder I know this clashed for you 17:10:26 yeh, but tell us anyway 17:10:38 bdpayne: no 17:10:46 I can’t find the email in archive, here’s a pastebin http://pastebin.com/W7qZYsMu 17:11:17 Basically we are going to run in parallel with Barbican. Hopefully we can work closely with them on some of the joint projects we have interest in. 17:11:21 hyakuhei: no, that's fine. I'm flying back from Europe on the 10th, but can attend otherwise. 17:11:41 So you’ll be available for the whole thing? That’s great news! :D 17:12:26 tmcpeak1 checked out the location and said it’s good 17:12:38 I’m going to arrange breakfast and lunch catering somehow 17:12:38 yeah, seems perfect for us 17:12:48 hyakuhei: ah, actually I can't do the 19th that week, but will be there for the rest of it 17:13:04 hyakuhei: I know some good spots around there to get food 17:13:06 nkinder: No problem, I’m glad you can make it at all 17:13:10 Great! 17:13:25 #action tmcpeak1 to work out logistics, budgets and menus for mid-cycle 17:13:26 :P 17:13:31 FYI, here's the email #link http://lists.openstack.org/pipermail/openstack-security/2014-December/003072.html 17:13:35 I'm hoping for approval, so I can meet y'all too 17:13:35 buy all the things! 17:13:42 Thanks bdpayne my googles are broken 17:14:20 right so, plan is we’ll run from the Tuesday through to the Friday, so people can travel on the Monday and don’t loose two weekends to this 17:14:24 * hyakuhei values weekends! 17:14:35 +1 17:15:12 There’s plenty of hotels in the locality, if you want to suggest one you like on the etherpad then feel free, and when you’ve booked maybe say where on the etherpad too 17:15:38 Is everyone happy just confirming via the etherpad or would you prefer an eventbrite signup? 17:15:58 etherpad seems fine 17:16:01 +1 17:16:14 That’s my preference too. 17:16:33 So please add ideas and proposals to the etherpad 17:16:49 do we have any plans to setup a hotel block? 17:16:52 singlethink: you should take a look and see the direction we’re taking thigngs :) 17:16:55 or do we not have enough people for that? 17:17:10 yes 17:17:18 I guess the first thing to do would be get an accurate head count 17:17:23 I probably won't be able to make the meetup though 17:17:28 bdpayne: I wasn’t planning to, many of us have corporate booking tools etc that make doing anything _clever_ particularly painful 17:17:51 heh 17:18:03 please add your name and if you are coming (yes, no, maybe) to etherpad 17:18:09 +1 17:18:49 cool 17:19:05 so maybe we can revisit next week when people have had a chance and see if it looks like hotel block is feasible 17:19:32 Sure 17:19:49 cool 17:19:56 Any more thoughts on the mid-cycle/meetup ? 17:20:04 I'll synch up offline with HP folks on the f00z 17:20:08 f00dz 17:20:22 Thanks tmcpeak1 lets try to get Angela to book all that :P 17:20:29 Actually 17:20:31 ahh cool, yeah that makes sens 17:20:31 +1 17:20:37 Is anyone itching to pay for all this other than HP ? 17:20:44 In the spirit of openness etc 17:21:43 Ok cool 17:21:46 #topic Bandit 17:21:57 ok so let's revive getting Bandit into projects 17:21:57 tmcpeak1, chair6, tkelsey etc. 17:22:06 tkelsey mentioned global requirements 17:22:09 I checked into that 17:22:19 we aren't using anything in Bandit that isn't already in global requirements 17:22:32 https://github.com/openstack/requirements 17:22:34 #link https://github.com/openstack/requirements 17:22:43 :\ 17:22:51 tmcpeak1 - maybe a refresh of what bandit is (for the new folk)? 17:22:53 I have no IRC-foo 17:22:55 if you want to aim for keystone first might be easier since I can +2 17:22:57 sure 17:23:07 bknudson: that would be awesome! 17:23:13 also, might be interesting to put this on the cross-project meeting topic 17:23:17 bknudson: yeah, absolutely 17:23:18 I was kind of hoping you'd say that actually bknudson 17:23:19 they might ask for a spec. 17:23:21 tmcpeak1 interested in this for Anchor 17:23:28 so I can put up a patch that adds bandit itself into global reqs 17:23:32 bknudson: Great, I know Mr Young was interested in this too, though it was some time ago when we spoke about it 17:23:44 mr young has many interests 17:23:50 lol so I’m told. 17:23:51 tkelsey: in order to do that we need to be running a job 17:24:03 https://github.com/openstack/requirements#enforcement-in-projects 17:24:09 humm, ok 17:24:10 tmcpeak1: Give a quick overview of Bandit for the new folks please. 17:24:10 so there is one step we need to do 17:24:13 #link https://wiki.openstack.org/wiki/Security/Projects/Bandit <- for the new folks 17:24:19 thanks chair6 17:24:19 ok cool 17:24:31 so Bandit is something that we started with last OpenStack Security meetup 17:24:33 * singlethink has taken a quick look... so I'm vaguely familiar with bandit 17:24:35 "Bandit provides a framework for performing security analysis of Python source code, utilizing the ast module from the Python standard library." 17:24:59 the idea is to automatically identify possible security issues in code using static code analysis (Python ASTs) 17:25:36 it scans through AST representations of Python source and when it encounters a AST node 17:25:56 like a function call or an import statement it calls plugins which self-declare their interest in that type of node 17:26:08 Operating at the syntax level (no type or data flow propagation), correct? 17:26:18 nope 17:26:25 so, for example, when somebody imports md5 we can warn that md5 isn't the most secure hash library to use 17:26:47 It’s a bit smarter than basic source code analysis 17:27:03 we have a few plugins already and a nice framework that makes it easy to write new checks 17:27:15 I was impressed by their brevity 17:27:30 Yeah they’re tidy. 17:27:43 Cool - any questions re: Bandit? Thanks for the overview tmcpeak1 17:28:08 singelthink: so we settled on the AST approach because we can do some smarter things, and we have some data flow propogation ideas, but we aren't there yet 17:28:14 is bandit in a state where we could start using it in our project? 17:28:24 Is it "feature complete" at this point? And now you're looking into writing tests and integrating with projects? 17:28:35 Or are there outstanding major features on the TODO list? 17:28:39 It should be usable now 17:28:46 no major features, I'd say it's pretty steady state 17:28:49 it is certainly usable 17:28:49 it's just limited in what it checks for 17:28:49 is any security tool ever "feature complete"?:) 17:28:52 but probably not "feature complete" 17:28:56 exactly 17:28:58 we have new 2.0 features we'd like to add, but should be very usable now 17:28:59 cool, i'll bring this up with the sahara folks. thanks 17:29:16 I guess I meant, stable and ready for use by the masses 17:29:16 Progress! 17:29:25 as an aside, there's some contributions coming from my team to Bandit shortly 17:29:25 initially we'd shoot for a non-blocking gate test just to see how noisy it is 17:29:42 bdpayne: yeah saw that - awesome-sauce! 17:29:57 we <3 contributions 17:29:58 bdpayne: Yes I saw Lucas was getting involved :) 17:30:03 :-) 17:30:26 ok, lets talk about Anchor for a moment 17:30:36 #topic Anchor 17:30:44 tkelsey: can you dig out a link to the wiki please? 17:30:54 So Anchor is what we’ve named Ephemeral PKI 17:31:01 which is now Apache2 and in Stackforge 17:31:36 We’ve been doing various bits recently, mainly tkelsey’s hard work, contributing changes to pycryptography so we can use that instead of M2Crypto 17:31:47 Because M2Crypto isn’t exactly well maintained 17:31:54 truth 17:32:00 #link https://wiki.openstack.org/wiki/Anchor 17:32:06 ^wiki 17:32:16 me too crypto? sounds… perfectly maintained ;) 17:32:18 That work has just landed in Anchor and now we’re looking to basically feature-freeze while we build up a testing framework for the core functionality 17:32:41 yup, lots of focus on testing next 17:32:46 #link https://www.youtube.com/watch?v=jf_YOzW7I3s Our talk on ephemeral PKI 17:32:48 tests tests and more tests 17:33:13 Also, at the moment the only contributors are HP and while that’s fine, I’m sure others might like to contribute 17:33:28 We also want to integrate with Barbican sooner rather than later. 17:33:34 so in keystone / auth_token middleware we have PKI tokens... can we use this to generate and distribute the certs? 17:33:35 Anything to add dg_ tkelsey ? 17:33:43 bknudson: I can’t see why not 17:33:48 i had asked about contributions last meeting, has there been any progress on a todo list or roadmap for Anchor? 17:33:53 nothing other than to encourage people to get involved ;) 17:33:59 thats a pretty good summary, hoping to get some tests in early next week 17:34:18 elmiko: well our first step was to move away from m2crypto 17:34:22 elmiko: It’s got a launchpad page, if you see things missing you want adding but don’t have time to write, drop a feature there 17:34:28 yeah that was a big lump of work 17:34:28 now we are testing 17:35:01 hyakuhei: i was thinking more in terms of helping with some of test framework and whatnot. i'd be happy to help but i'm not sure i have features ready to propose. 17:35:01 so any tests or code scrutiny would be most valuable 17:35:07 We’re quite process-light compared to more established OpenStack projects at the moment 17:35:07 actually it looks like anchor can essentially be the token / auth mechanism itself. 17:35:16 might have performance problems. 17:35:33 elmiko: Funny you mention that :) 17:35:40 bknudson: Possibly but it scales _really_ nicely 17:36:04 As well as any API/Rest-thingy scales I guess but there’s no back end RPC or shared states to worry about 17:36:31 #action dg_ tkelsey hyakuhei to build a basic roadmap for Anchor 17:36:37 gyee has been pushing for client cert auth for services for some time ... maybe you've been working with him. 17:36:38 is openstack-security the best place to talk about Anchor tasks and whatnot? 17:36:38 +1 17:36:49 We need some signposts to help guide people who want to get involved. 17:36:55 +1 17:37:07 bknudson: Nope though I’ve wanted server identities for a long time 17:37:08 +1 on client-cert auth... 17:37:09 yeah, I should have done that already tbh, but been tied up with the m2 related work 17:37:21 is there an architecture overview doc for anchor? 17:37:23 or should I just go read the code and whiteboard it? 17:37:24 hyakuhei +1 17:37:25 Anchor even supports Keystone auth for requestors as we see that as being where this will go 17:37:35 bdpayne: more the latter at the moment 17:37:45 It’s very simple (long may it stay that way!) 17:38:01 yeah, your comment on lack of state raised some questions in my head 17:38:05 I'll go research it a bit 17:38:23 hyakuhei I'll look at publishing our internal docs 17:38:34 bdpayne: awesome :) more eyes and all that 17:38:38 dg_: Yeah that should be fine 17:38:50 bdpayne: You were at my talk :P 17:39:27 yes, but it didn't answer my questions 17:39:39 :P 17:39:40 Great, the more questions the better : 17:39:49 Ok, anything else re: Anchor? 17:39:53 SSL cert auth spec review is here if you guys want to review. https://review.openstack.org/#/c/105913/ 17:40:11 gyee have you heard of anchor? 17:40:19 bknudson, no 17:41:00 gyee: I'll take a look 17:41:07 hyakuhei: Making sure I understand what you said... so basically, Keystone would be the most fundamental auth mechanism... and you could use keystone auth tokens to get certs from Anchor? 17:41:07 So it’s the project formally known as ephemeral PKI which you probably didn’t know about either :P 17:41:13 gyee: will look as well, thanks 17:41:31 singlethink: Yes it can work that way today but that’s not the only AuthN scheme 17:41:41 In fact we don’t even think it will get used much 17:41:53 re client certs, I’ll take a look 17:41:55 I was just trying to figure out if it was that, or the other way around 17:42:06 I expect that gyee wants to use existing PKI environments where client-certs are already available 17:42:27 nkinder, right, cert management is out of the scope of that spec 17:42:33 Yeah I expect so, Anchor can cater for that too, in fact its probably a good thing :) 17:42:40 hyakuhei: I would think Barbican is the recommended way to get certs via keystone auth (possibly with anchor behind it) 17:42:49 gyee: Make sure your openssl is up to date as client cert auth was a bit broken: http://threatpost.com/openssl-fixes-eight-security-vulnerabilities/110279 17:42:53 it basically take whatever that is passed from mod_ssl 17:43:28 hyakuhei, yeah, it have a dependency on apache2 17:43:36 nkinder: Yeah, there’s lots of options. We’ll probably end up with an under-cloud Anchor to protect services like Rabbit, MySQL etc and Overcloud Anchor behind Barbican 17:43:58 hyakuhei: yeah, makes sense 17:44:28 ok, we’ve only got 15 minutes left 17:44:49 #topic Security initiatives in General 17:45:16 So we’ve got OSSNs, Security Guide, Bandit, Anchor and Threat Analysis running at the moment, all with various degrees of maturity and velocity 17:45:20 did anyone have specific questions on security doc and/or the security guide? 17:45:39 i do, project or tenant, which to use? 17:45:40 Does anyone have designs on the next big thing we should consider persuing 17:45:45 project 17:45:55 +1 17:46:01 that's what i thought, just wanted something more concrete =) 17:46:04 keystone? 17:46:08 Basically the opposite of whatever you see me write, I always seem to get it wrong 17:46:10 yep, project 17:47:18 #topic Sahara security 17:47:31 #link https://etherpad.openstack.org/p/sahara-security-guide-notes 17:47:36 i've added more content there 17:47:47 and i'm still soliciting opinions/advice/criticisms 17:47:48 So you’re looking for a review? 17:48:13 i'm looking for more opinions about how we might proceed and if the content i'm creating is appropriate 17:48:25 bdpayne: interested on your thoughts on this? 17:48:37 i'm hoping to have a review up to the security-doc sometime next week 17:48:38 I can take a look 17:48:42 elmiko: Whats the intended end-product? 17:48:43 thanks 17:49:06 hyakuhei: a new chapter 14 for the sec guide, on the data processing service 17:49:20 then you and bdpayne should definitely sync 17:49:21 ah yeah, so I'll review this in more detail later today 17:49:27 elmiko feel free to pester me on openstack-security too 17:49:27 bdpayne: thanks 17:49:32 Thanks both 17:49:41 elmiko: anything else ? 17:49:48 nope, just wanted to update =) 17:50:08 Great stuff, looking forward to seeing this progress 17:50:15 #topic Security Guide 17:50:19 bdpayne: What’s the latest? 17:50:24 oh hi 17:50:51 so the latest is that I'd love a person or two to step up and co-lead 17:51:03 I haven't been meeting my goals with the guide in a timely fashion 17:51:07 so more help could be good 17:51:19 if anyone's interested, please ping me 17:51:21 there's some great plans for moving this ahead 17:51:31 we just need to clean up the book a bit 17:51:34 editorial stuff 17:52:00 having said that, contributions are continuing to roll in, which is nice 17:52:03 bdpayne: i'll ping you later, you've got me curious 17:52:07 cool, thanks 17:52:09 Maybe there’ll be more takers after the mid-cycle, that’s a great way to introduce the docs project to people 17:52:21 yeah 17:52:41 ok cool, thanks bdpayne :) 17:52:48 #topic Any other business 17:52:49 but that's all that I have for now... so people can ponder that 17:53:02 General discussion, anything you think is interesting 17:53:26 Regarding Threat analysis... 17:53:36 got couple of reviews from bknudson 17:54:10 Big changes since my last review? 17:54:16 i think in the security group, we should make a decision how should we progress 17:54:19 not much 17:54:28 some small stuff.. 17:54:31 I think it was in good shape 17:54:45 better than what we had before. 17:54:46 thanks bknudson 17:55:00 shohel02 what are the paths you see? 17:55:40 this is setting the framework analysing other projects 17:55:57 definately we need more involvement to get it forward 17:56:15 Its hard 17:56:23 yah 17:56:46 I’m trying to get HP to share architectural drawings where we don’t have lots of internal stuff on them but that’s not so easy 17:57:21 that would be helpful 17:58:07 I’m working on it :) 17:58:17 Last two minutes guys, anything to add? 17:58:44 cool, lets call it! 17:58:48 Thanks all! 17:58:49 thanks! 17:58:50 #endmeeting