#openstack-meeting-alt log

17:00:41 <tmcpeak> #startmeeting security
17:00:42 <openstack> Meeting started Thu Jul 23 17:00:41 2015 UTC and is due to finish in 60 minutes.  The chair is tmcpeak. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:43 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:00:46 <openstack> The meeting name has been set to 'security'
17:00:46 <tmcpeak> o/
17:00:50 <sicarie> o/
17:00:51 <tmcpeak> #topic Roll Call
17:00:52 <browne> hi
17:00:53 <elmiko> yo/
17:00:55 <bpb_> o/
17:01:00 <sigmavirus24> o/
17:01:02 <bknudson> hi
17:01:09 <Daviey> \o
17:01:10 <sigmavirus24> bknudson: you say hello, and I say hi
17:01:10 <bknudson> I'm at the nova meetup since it's here in Rochester
17:01:20 <sigmavirus24> bknudson: NY?
17:01:23 <bknudson> MN
17:01:31 <sigmavirus24> bknudson: Oh right!
17:01:42 <sigmavirus24> Glance wanted to co-locate and I would have driven over
17:01:42 <tmcpeak> bknudson: nice!
17:01:54 <tkelsey> o/
17:02:14 <tmcpeak> allright, I guess let's get rolling
17:02:15 <bknudson> I wonder why the glance colocation didn't happen
17:02:20 <tmcpeak> #topic Anchor
17:02:27 <tmcpeak> tkelsey, dg, Daviey
17:02:49 <sigmavirus24> bknudson: we were told 'no'
17:02:49 <tkelsey> some interesting work on alternative Anchor backends has been going on
17:02:54 <gmurphy> o/
17:03:02 <tmcpeak> Mr. Murphy, sit down, you're late :P
17:03:15 <Daviey> I've not been active on Anchor this week :(
17:03:20 <gmurphy> soz. nasa things.
17:03:29 <elmiko> lol
17:03:38 <tmcpeak> tkelsey: describe said alternative backends plz?
17:03:47 <tkelsey> I'm just trying to find the link
17:04:15 <tkelsey> https://review.openstack.org/#/c/204368/
17:04:32 <timkennedy> o/
17:04:42 <tmcpeak> hi timkennedy
17:04:46 <timkennedy> hello.
17:04:49 <timkennedy> happy thursday
17:04:52 <tmcpeak> tkelsey: interesting, have you guys been following whatever on ML?
17:04:57 <tkelsey> so this is the patch, its a prototype to use pyasn1 and pycrypto to replace some of the stuff we built on top of pyca/crytography
17:05:08 <tmcpeak> Stan seems to have proposed this and then there was pushback, any update on that?
17:05:33 <tkelsey> tmcpeak: ah im not actually sure
17:05:40 * tkelsey goes to read the ML thread
17:05:47 <Daviey> Stan has also volunteered to write a Spec about how we should be interacting with openssl primatives
17:05:48 <browne> tkelsey: why replace pyca/crytography
17:05:55 <tmcpeak> fair enough, I guess I could actually read ML once in a while:P
17:05:58 <Daviey> Ah, i type too slow.
17:06:21 <tkelsey> browne: the work we did was a stop gap untill pyca/cryptography got the features we need. But it seems that hasnt happened yet
17:06:50 <browne> tkelsey: you could contribute to pyca/cryptography, :)
17:06:50 <tkelsey> so this is an exploration into another approach
17:07:00 <tkelsey> browne: I did :)
17:07:14 <tkelsey> but there is a lot needed and I only have so much bandwidth
17:07:17 <tmcpeak> ok, if Bandit experience is any guide I'd say hash it out with a doc first rather than code ;)
17:07:29 <Daviey> tkelsey: Have we enumerated the gaps in pyca/cryptography, for our needs?
17:07:35 <tkelsey> tmcpeak: there is an eatherpad going round with it in
17:07:38 <tkelsey> but yeah
17:08:00 <Daviey> I saw a bug floating around, but no detail
17:08:02 <tmcpeak> ok, maybe if it hasn't been done already socialize the presence of the wiki on ML so the naysayers can jump in and say nay on the etherpad
17:08:04 <tkelsey> its mostly around the handling of asn1 types and come of the low level CFFI hooks
17:08:12 <tkelsey> *some
17:08:34 <tmcpeak> err socialize the etherpad ;)
17:08:50 <tkelsey> there is also a desire to break free of OpenSSL requirements.... Yeah I'll dig up a lionmk
17:08:53 <tkelsey> *link
17:09:31 <Daviey> ta
17:09:40 <tmcpeak> maybe also on the ML, I don't remember who was against it, but seems like they had fairly strong opinions regarding it
17:09:40 <tkelsey> https://etherpad.openstack.org/p/Anchor_direct_asn1
17:10:08 <tkelsey> tmcpeak: OK, ill go dig into that
17:10:17 <tkelsey> sorry im a bit behind this week :)
17:10:37 <tmcpeak> tkelsey: that's because you're busy writing whole bookcases worth of doc improvements for Bandit :P
17:10:52 <tkelsey> lol, well yeah there is that :P
17:10:57 <tmcpeak> cool, so anything else for Anchor before we switch to Bandit?
17:11:15 <tkelsey> I dont think so, I will try to have more detaisl for us next week
17:11:18 <tkelsey> *details
17:11:29 <tmcpeak> sweet, thanks tkelsey
17:11:32 <tmcpeak> #topic Bandit
17:11:47 <tmcpeak> browne: care to share the good news?
17:12:04 <browne> yep, nova patch to introduce bandit merged, yay
17:12:09 <tmcpeak> woot
17:12:12 <browne> but still need to add the gate job
17:12:14 <tmcpeak> looks like Cinder is close behind
17:12:16 <tkelsey> :D nice one browne
17:12:24 <browne> yeah, cinder is close
17:12:29 <Daviey> Bandit is now in Debian as of today, and in Ubuntu as of 2 mins ago.
17:12:32 <tmcpeak> are you planning to introduce as experimental or non-voting?
17:12:40 <tkelsey> thats awesome
17:12:40 <tmcpeak> Daviey: hah, what?
17:12:44 <tmcpeak> 2 mins ago? sweet!
17:12:46 <browne> non-voting is the plan
17:12:52 <Daviey> tmcpeak: Yeah, i just sync'd it in
17:13:00 <tmcpeak> Daviey: legit!
17:13:06 <tmcpeak> browne: cool, I think that makes sense
17:13:18 <browne> Daviey: very cool
17:13:27 <tmcpeak> I'm wrapping up something at the day job, but next week I'm planning to circle back and do some Bandit gate related stuff
17:13:29 <gmurphy> Daviey: sick. i meant to ping you about that.
17:13:29 <Daviey> tmcpeak: compiling now, https://launchpad.net/ubuntu/+source/bandit/0.12.0-1/+build/7719180
17:13:32 <tmcpeak> can start on some way to keep track of everything
17:13:37 <gmurphy> any plans for the fedoras etc?
17:13:54 <tmcpeak> noice!
17:13:55 <gmurphy> i can probably pick that up if
17:13:59 <gmurphy> not
17:14:04 <Daviey> gmurphy: I wouldn't know where to start with Fedora TBH.. I think there are better qualified people here than me for that :)
17:14:11 <gmurphy> k.
17:14:15 <elmiko> gmurphy: i think it has already been accepted into fedora
17:14:19 * elmiko digs for link
17:14:21 <gmurphy> really?
17:14:26 <tmcpeak> yeah, I think Fedora had it first
17:14:30 <elmiko> yea
17:14:30 <tmcpeak> we also have archlinux
17:14:33 <gmurphy> god you've got to be quick.
17:15:06 <elmiko> so folks on our team got excited about bandit =)
17:15:09 <gmurphy> i did't even check the package repo before i raised that bug actaully
17:15:29 <bknudson> people have been clamoring for a static security analyzer
17:15:32 <gmurphy> https://admin.fedoraproject.org/pkgdb/package/bandit/
17:15:35 <bknudson> we should be charging for it
17:15:44 <tmcpeak> bknudson: +1 :P
17:15:47 <Daviey> elmiko: Is it hitting RDO or not?
17:15:59 <mvaldes> this is awesome.
17:16:03 <elmiko> Daviey: that is a good question, i'll ask around
17:16:13 <mvaldes> we have started adding bandit to CI/CD for internal projects
17:16:22 <elmiko> #link https://bugzilla.redhat.com/show_bug.cgi?id=1217857
17:16:23 <openstack> bugzilla.redhat.com bug 1217857 in Package Review "Review Request: bandit - A framework for performing security analysis of Python source code" [Medium,On_qa] - Assigned to zbyszek
17:16:24 <elmiko> gmurphy: ^^
17:16:29 <uvirtbot> elmiko: Error: Could not parse XML returned by bugzilla.redhat.com: HTTP Error 404: Not Found
17:16:35 <gmurphy> yeah cool.
17:16:48 <gmurphy> ok. well i guess i can close that bug out.
17:16:55 <Daviey> elmiko: The next release will have more sane global bandit.yaml config handling... Would be good to get that in rpm aswell
17:17:10 <elmiko> awesome, i'll pass it along
17:17:42 <Daviey> We could also poke AJaeger into trying to get it in opensuse
17:17:55 <tmcpeak> moar distros!
17:18:28 <elmiko> tmcpeak: +1
17:18:40 <tmcpeak> awesome! really exciting Bandit updates this week guys
17:18:46 <tmcpeak> tkelsey: want to mention the doc work you're doing?
17:19:15 <tkelsey> yup :) so last week I was pushing for bug killing, this week its docs
17:19:22 <tkelsey> https://review.openstack.org/#/c/204136/
17:19:28 <Daviey> Oh!  This week, we also got sane plugin interface for bandit.
17:19:40 <tkelsey> Daviey: yeah :D
17:19:46 <tmcpeak> all the improvements!!
17:19:53 <Daviey> Which also means we have support for external plugins now
17:20:07 <sigmavirus24> Yep
17:20:17 <sigmavirus24> We advertised that support previously but now we actually have it
17:20:20 <tkelsey> so that patch is a massive one, and I expect a lot of nits to pick etc
17:20:33 <bknudson> seems like we'd want to pull the openstack-specific checks into a separate repo
17:20:39 <tkelsey> so anyone with spare cycles please go look it over, or at least as much as you can manage :)
17:20:53 <sigmavirus24> tkelsey: would it be possible to split that up into a chain of dependent reviews?
17:20:59 <browne> bknudson: not a bad idea
17:21:02 <sigmavirus24> 1868 lines of docs is going to be ... rought
17:21:09 <Daviey> Oh crikey, that is huge tkelsey
17:21:24 <tmcpeak> bknudson: yeah, I like that idea
17:21:32 <tkelsey> sigmavirus24: thats only about 50% done :-/ I am writing it and pushing it as I go
17:21:41 <tmcpeak> would make it more appealing as a general tool
17:21:54 <Daviey> tkelsey: Much of it is stub pages, that can stay in one commit OMO
17:21:57 <Daviey> IMO*
17:22:14 <elmiko> Daviey: ohhh now you're all for one commit... ;P
17:22:16 <bknudson> would be nice if the docs were in docstrings
17:22:22 <bknudson> so you don't have to find the doc file
17:22:33 <Daviey> elmiko: Pah... no, one commit for stub's is OK :)
17:22:40 <tkelsey> the stub pages are slowly being replaced by real content, I prefer to blast this stuff out and then iterate on it... but yeah its a monster
17:23:09 <tkelsey> any suggestions for a sensible way to chop it up ?
17:23:29 <Daviey> Thing is, with a monster stub commit.. it makes it easy to have many smaller commits replacing it which don't need to be linked / Depends
17:23:29 <tmcpeak> well you could do the infra part of it separate, then just maybe cut the docs into thirds?
17:23:52 <tkelsey> Daviey: makes sense
17:23:55 <tkelsey> tmcpeak: yeah
17:23:56 <tmcpeak> Daviey: I thought this was the one you were complaining about earlier :P
17:24:15 <tkelsey> OK, I will look to add in stubs and the build new patches to replace them incrementally
17:24:21 <Daviey> tkelsey: for i in $(git status) ; git branch -b $i ; $PROFIT ; done. etc
17:24:50 <tkelsey> lol, yeah splitting it up is easy enough, I just like to work on it atomically
17:25:05 <tkelsey> anyway, its going to be way too big as one for sure
17:26:08 <tkelsey> so yeah, I'll do an patch for tox etc, then a patch for the skeletal layout, then many patches to add content
17:26:12 <tkelsey> hows that sound?
17:26:17 <sigmavirus24> SGTM
17:26:18 <sigmavirus24> Thanks tkelsey
17:26:34 <tkelsey> awesome :) im looking forward to having comprehensive docs
17:26:38 <tmcpeak> awesome, so I'll just take a minute to do some high level back patting
17:26:40 <sigmavirus24> :D
17:26:41 <Daviey> tkelsey: Yeah, that makes sense
17:26:46 <tmcpeak> Bandit has a great community with lots of people putting in great work
17:26:53 <tmcpeak> I'm really happy to see the progress, and keep it up!
17:27:01 <tkelsey> :)
17:27:11 * sigmavirus24 takes that statement to mean the people are mediocre =P
17:27:14 <Daviey> tmcpeak: At some point, we do need to think of new plugins... We are mostly polishing atm
17:27:28 <tmcpeak> Daviey: for sure
17:27:44 <tmcpeak> #topic Sec Guide
17:27:49 <tmcpeak> sicarie, elmiko, Daviey
17:28:03 <elmiko> tmcpeak, Daviey i've been experimenting with a few for sahara
17:28:06 <Daviey> They said it couldn't be converted in a week...
17:28:11 <elmiko> rst conversion is going well =)
17:28:21 <tkelsey> sec guid looks to be getting some serious love :)
17:28:26 <tmcpeak> elmiko: awesome, looking forward to seeing them
17:28:30 <elmiko> indeedy
17:28:33 <tmcpeak> yeah, you guys are going nuts on that
17:28:42 <Daviey> The sec guide rst has been Ninja'd
17:29:07 <Daviey> #link http://etherpad.openstack.org/p/sec-guide-rst
17:29:08 <sicarie> Yep, the conversion to RST format is going really well
17:29:12 <sicarie> Thanks Daviey
17:29:14 <sicarie> Just about to post that
17:29:15 <elmiko> other than that, i think we might have found a few bugs to publish during this conversion too
17:29:17 <Daviey> ^^ still spaces if people want to jump in the water.
17:29:22 <sicarie> +1 elmiko
17:29:54 <sicarie> So we have dg_, pdesai, Daviey, elmiko, and AJaeger doing awesome work converting and reviewing
17:30:02 <Daviey> #link http://docs.openstack.org/draft/security-guide-rst/
17:30:07 <Daviey> ^^ this is what has landed so far.
17:30:12 <dg_> elmiko could do with you taking another look at this, https://review.openstack.org/#/c/205099/
17:30:14 <tmcpeak> nice!
17:30:15 <sicarie> We're through most of the individual chapter files, and are now focused on the sections
17:30:34 <dg_> elmiko Im happy to change it if I need to, just trying to do what he docs say...
17:30:39 <elmiko> dg_: ack
17:31:00 * Daviey glares at dg_ for large commits.
17:31:22 <sicarie> Heh, and aside of some stylistic preferences, things are moving along
17:31:25 <elmiko> dg_: hmm, i didn't realize we weren't supposed to use doc references
17:31:28 <dg_> Daviey should I do them as a series of smaller commits?
17:31:48 <elmiko> dg_: i like the doc references for these because it automagically pulls the title in place
17:31:50 <Daviey> dg_: There is disagreement... It is fine :)
17:32:12 <dg_> Daviey ok :)
17:32:32 <dg_> I'll go with the majority on the doc vs ref, Im new to RST
17:32:33 <elmiko> dg_: i'll ask in #-doc to see what they think
17:32:39 <dg_> elmiko thanks :)
17:32:45 <tmcpeak> cool, great work on the guide guys
17:32:50 <elmiko> i've been using :doc: fwiw
17:32:56 <tmcpeak> anything else to mention this week?
17:33:06 <dg_> on the sec-guide
17:33:35 <Daviey> We are also now linting the document, where as previously we just pretended to... thankfully, it was caught early and there wasn't too many issues.
17:33:40 <dg_> navigating the new rst sec guide as its generated locally and shown here: http://docs.openstack.org/draft/security-guide-rst/# is a bit of pain because it no longer has the index on the left
17:33:59 <tmcpeak> oh that's cool, real linting beats pretend linting everytime
17:34:01 <sicarie> dg_: please post that at the bottom of the etherpad where we're tracking issues
17:34:12 <dg_> is there the option to re-add the index? If not, we should consider having a link to 'top of this section' and 'index' on each page
17:34:26 <Daviey> Is that a problem for US to sort out, or a general issue with the openstack rst theme?
17:34:30 <sicarie> dg_: we'll have to ask the docs team
17:34:35 <sicarie> +1 Daviey
17:34:40 <Daviey> Does the other projects suffer the same issue?
17:34:44 <sicarie> I'll take the action to figure that out
17:34:47 <Daviey> cool
17:35:05 <tmcpeak> shweet
17:35:06 <dg_> +1 Daviey
17:35:31 <tmcpeak> #topic API Testing
17:35:43 <Daviey> Just a general note, I now recognize how much i hated docbook.  I think i had Stockholm syndrome
17:35:51 <tmcpeak> lol
17:35:56 <bknudson> he he
17:36:00 <sicarie> +1
17:36:10 <mvaldes> i have no updates on API Testing today, i'm afraid
17:36:12 <tmcpeak> mvaldes: how's it going on the API fuzzing tool?
17:36:13 <tmcpeak> ahh ok
17:36:36 <tmcpeak> #topic Other Business
17:36:39 <Daviey> mvaldes: You were going to see if you could show a public demo of the PoC you had?
17:36:39 <tmcpeak> open floor
17:36:41 <mvaldes> it's been slow going on the clean-up. expect more next week :)
17:36:52 <tkelsey> mvaldes: :)
17:37:04 <tmcpeak> so I'd like to bring up the note I'm working on
17:37:10 <tmcpeak> since there are general keystone experts herre
17:37:35 <tmcpeak> specifically this:
17:37:37 <tmcpeak> #link https://bugs.launchpad.net/bugs/1464750
17:37:38 <openstack> Launchpad bug 1464750 in OpenStack Security Notes "Service accounts can be used to login horizon" [Undecided,In progress] - Assigned to Travis McPeak (travis-mcpeak)
17:37:46 <uvirtbot> Launchpad bug 1464750 in ossn "Service accounts can be used to login horizon" [Undecided,In progress]
17:37:47 <uvirtbot> Launchpad bug 1464750 in ossn "Service accounts can be used to login horizon" [Undecided,In progress] https://launchpad.net/bugs/1464750
17:38:09 <tmcpeak> bknudson: I've spoken to nkinder a bit, I'm curious for your take
17:38:42 <tmcpeak> do you think mucking around with policy.json like this is something we should be comfortable recommending to end users? seems like a major overhaul and could have ramifications
17:38:54 <bknudson> I think this is related to the default policy in openstack where if you have a role on a project then you can do a lot of things
17:38:57 <bknudson> like boot an instance
17:39:15 <bknudson> the only way this could be fixed is by changing the policy
17:39:23 <tmcpeak> yeah, service accounts are admin, and therefore can do all the things
17:39:26 <Daviey> tmcpeak: policy.json isn't an end user file, but a cloud admin config file
17:39:38 <bknudson> so it's either the customer changing their policy or us changing the default policy
17:39:51 <tmcpeak> oh sorry, I meant cloud admin when I'm saying "end user" like not OpenStack developers
17:39:52 <bknudson> I'd like to have a better default policy but that's not a security bug in itself.
17:40:04 <Daviey> cloud admins should be entrusted to make config hardening choices based on OSSN guidance IMO.
17:40:04 <bknudson> not all service acccounts are admin
17:40:09 <bknudson> in the default policy
17:40:21 <bknudson> I mean in the default setup (devstack)
17:40:36 <bknudson> only nova and neutron service users are granted admin
17:40:50 <bknudson> other ones have "service" role
17:40:55 <Daviey> changing policy.json is unlikely to be stable compatible.
17:41:00 <tmcpeak> oh ok, that does reduce the surface somewhat
17:41:11 <bknudson> but as I said, if you have any role on a project then you can boot an instance
17:41:59 <tmcpeak> that's not what we're worried about though is it?
17:42:09 <Daviey> Some deployments might want that behaviour, which makes it probably incompatible with stable/* policy.
17:42:14 <tmcpeak> we're worried about deleting data, creating malicious users, etc
17:42:22 <tmcpeak> the nasty stuff cloud admins can do
17:42:23 <bknudson> I think that's what the bug is describing
17:42:38 <bknudson> even if you take away nova's admin auth
17:42:45 <bknudson> nova will still be able to boot instances
17:42:51 <bknudson> (same with neutron)
17:42:54 <tmcpeak> well the actual bug is talking about logging in to Horizon, which is a little silly
17:42:56 <bknudson> and they'll be able to login to horizon
17:43:01 <tmcpeak> anything you can do with Horizon you can do with the APIs
17:43:19 <bknudson> I don't know if there's a role required to login to horizon
17:43:32 <tmcpeak> I don't think so, I think Horizon is just a dumb-front end for the APIs
17:44:09 <tmcpeak> ok, well not to rathole this super far, but it seems like bknudson Daviey agree it's feasible to at least write guidance about this
17:44:14 <tmcpeak> so I'm going to go ahead and do so :)
17:44:34 <tmcpeak> I'm not a Keystone expert, I just play one when I'm writing notes
17:44:37 <bknudson> problem is there's no docs on the policy.json s
17:44:58 <tmcpeak> keystone/nova/neutron
17:44:59 <tmcpeak> etc
17:45:16 <Daviey> bknudson: Empty string being permissive is a questionable choice IMO :)
17:45:18 <bknudson> so I couldn't tell someone how to set up their policy to prevent this.
17:45:34 <tmcpeak> bknudson: yeah, nkinder helped point me in the right direction
17:45:43 <tmcpeak> between that and screwing around with devstack for a bit I should be able to figure it out
17:46:56 <tmcpeak> cool, anything else to bring up?
17:47:01 <Daviey> Does anything need to be mentioned about the middcycle?
17:47:18 <tmcpeak> yeah, saw it on the agenda, guess we could go into it really quick :)
17:47:21 <tmcpeak> #topic Midcycle
17:47:35 <tmcpeak> is anybody interested in coming that hasn't put their name on the etherpad?
17:47:45 <tmcpeak> #link https://etherpad.openstack.org/p/security-liberty-midcycle
17:48:05 <Daviey> Yes, but no funding.  Poor me.
17:48:35 <tmcpeak> :\
17:48:50 <tmcpeak> would be cool to have you there
17:48:55 <tmcpeak> maybe you can stay in that AirBnb tent?
17:49:16 <dg_> +1
17:49:18 <Daviey> hah, thanks
17:50:13 <tmcpeak> looks like a pretty decent list of folks
17:50:27 <tmcpeak> browne: you going to make it?
17:51:01 <browne> tmcpeak: i should, let me confirm with my manager today
17:51:04 <tmcpeak> ok cool
17:51:07 <tmcpeak> bknudson: how about you?
17:51:43 <tmcpeak> elmiko?
17:52:20 <elmiko> i've passed the numbers up the chain, still waiting for clearance :/
17:52:26 <elmiko> i would really like to be there =)
17:52:31 <tmcpeak> ok cool, fingers crossed then
17:52:56 <tmcpeak> cool, anybody else have anything they'd like to discuss before I close out?
17:53:38 <tmcpeak> allright then, everybody have a good week!
17:53:40 <tmcpeak> #endmeeting