17:00:55 <lhinds> #startmeeting security
17:00:56 <openstack> Meeting started Thu Aug 31 17:00:55 2017 UTC and is due to finish in 60 minutes.  The chair is lhinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:00:57 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:01:00 <openstack> The meeting name has been set to 'security'
17:01:09 <dave-mcc_> o/
17:01:17 <lhinds> hi dave-mcc_ !
17:01:18 <browne> o/
17:01:26 <lhinds> oh and browne , cool!
17:01:50 <lhinds> hyakuhei mdong around?
17:01:54 <mdong> o/
17:02:01 <lhinds> hey mdong
17:02:14 <lhinds> #topic agenda:
17:02:17 <lhinds> https://etherpad.openstack.org/p/security-agenda
17:02:31 <lhinds> anyone wish to make additions, please do..
17:02:45 <lhinds> I will get the ball rolling in the meantime.
17:02:48 <gagehugo> o/
17:02:55 <lhinds> #topic electing more cores.
17:02:58 <lhinds> hey gagehugo !
17:03:42 <lhinds> so I wanted to seed an intial discussion around what we could do to encourage some cores..mainly starting with syntribios and bandit ( mdong / browne )
17:04:03 <lhinds> I can see the two guys above working on the projects, but a lack of core reviewers means patches are not landing.
17:04:47 <lhinds> I have been making an effort to get more busy on bandit and soon syntribios, but will take me some time to put in a lot of content of worth.
17:04:52 <browne> yeah, several months ago I asked the current cores of bandit if they still wanted to be involved.  all of them wanted to remain cores, but i've seen no activity from them since
17:05:36 <lhinds> browne: ack, I could perhaps reach out to them as well. I guess most have seen their companies move on from openstack.
17:05:56 <browne> and then recently was talking with travis about whether we should move bandit to github (outside of the openstack domain)
17:06:43 <lhinds> browne: how many openstack projects have bandit running at their gate?
17:06:59 <browne> unsure
17:07:18 <gagehugo> I know keystone has it as part of the pep8 gate, cinder has a non-voting one
17:07:23 <browne> quite a few though
17:07:25 <lhinds> dave-mccowan: is barbican running bandit still>
17:07:47 <dave-mccowan> lhinds yes.  i thought by making it part of pep8 gate that most projects are running it.
17:08:01 <lhinds> ah I see.
17:08:10 <dave-mccowan> (or, maybe that was just a keystone thing.)
17:08:30 <lhinds> #action lhinds audit bandit use
17:08:30 <gagehugo> I think a few other projects do the same
17:09:14 <gagehugo> looks like barbican has it as part of pep8
17:09:26 <lhinds> so browne , its not my call of course, but in regard to porting to github, maybe we could see what we can make happen just over this cycle and if things don't improve, then its clear what to do.
17:10:18 <lhinds> sounds to me like its still in use a lot though, for example I did a depends-on patch today for python-keystoneclient. a small example ofc.
17:10:34 <browne> it could still be used by openstack projects
17:10:54 <browne> but my porting to github, might get more contributors
17:11:13 <browne> it has next to no openstack specific code anyway
17:11:21 <browne> and functions a lot like flake8
17:11:35 <lhinds> yep, I see your point.
17:11:51 <lhinds> i guess gate pulls it in from requirements.txt?
17:12:18 <browne> yeah
17:12:40 <lhinds> so we would just switch pypi from openstack tarballs, to github.
17:12:50 <browne> that's the other thing.  i don't have the pypi user/pwd, so i can't push a new release to pypi
17:12:58 <browne> we would need to get that from travis
17:14:01 <mdong> can’t that be done from the openstack release process? I
17:14:32 <mdong> I don’t remember manually pushing a pypi release the last time we did it for syntribos
17:14:46 <lhinds> that's true ^
17:15:04 <browne> oh ok, i've never done it myself. so maybe it's more automated
17:15:11 <browne> do you just create a tag?
17:15:39 <mdong> I think there’s an openstack-releases repo
17:16:10 <mdong> let me try to find the documentation
17:16:45 <mdong> https://releases.openstack.org/instructions.html
17:17:10 <lhinds> pypi would pull from here: https://tarballs.openstack.org/bandit/
17:17:30 <lhinds> I think(?)
17:17:37 <lhinds> that's normally how it happens
17:18:00 <browne> ok
17:18:58 <lhinds> so not sure how to go ahead here, I personally would like to try and see if we can improve contributions and stay in openstack, but at the same time its not my baby to be strongly viewed
17:20:03 <gagehugo> browne I can try to devote some time to help reviews for bandit
17:20:26 <lhinds> me too, put a few patches up this week and last.
17:20:29 <browne> we need another core. i'm the only one reviewing
17:20:36 <lhinds> only thing is we need another ... ^
17:21:25 <lhinds> heres what we can do, I will contact travis as I here from him occasionally and see if he can devote some time to +2's to allow a merge
17:21:48 <browne> he doesn't work on openstack anymore
17:21:58 <browne> works for netflix i believe
17:22:23 <lhinds> or we lower the barrier for bringing in some new cores?
17:23:17 <lhinds> and if things have not improved half way through the next release cycle, port to github?
17:23:42 <lhinds> how would that sound browne ?
17:23:49 <browne> sure
17:24:27 <lhinds> so perhaps myself and gagehugo could come on to help, we would mainly test each patch..and follow on from your +2's?
17:24:55 <browne> sounds good
17:25:00 <gagehugo> works for me
17:25:39 <lhinds> great, I will get onto that.
17:25:56 <lhinds> are all ok, if we go past the 30 minute mark?
17:26:15 <lhinds> was thinking same issue is there for syntribios ( mdong )?
17:27:04 <mdong> yeah, it’s a little better situation for core reviewers because I can still ping cneill for reviews if need be, even if he’s working on non-openstack projects
17:27:41 <lhinds> ok, that's good. I am monitoring the queue as well so will continue to help.
17:28:30 <lhinds> so for other topics, let me prioritise to the audience. dave-mccowan anything on barbican / PTG you wanted to cover?
17:28:41 <lhinds> we have custodia confirmed from last week.
17:29:22 <dave-mccowan> https://etherpad.openstack.org/p/barbican-ptg-queens
17:29:46 <dave-mccowan> that's the etherpad.  please sign up if you plan to attend and add any topics you'd like to discuss.
17:29:58 <lhinds> thx dave-mccowan
17:30:08 <lhinds> browne: are you at the PTG?
17:30:31 <browne> unfortunately i won't make it.  had already planned a vacation before knowing the dates for PTG
17:30:44 <lhinds> browne: no worries
17:30:55 <browne> would be nice if the PTG organizers released the dates earlier
17:31:05 <lhinds> browne agree
17:31:28 <lhinds> ok, will speed through the next bits..
17:31:32 <lhinds> #topic OSSN
17:31:40 <lhinds> one one in review: https://review.openstack.org/#/c/499176/
17:31:40 <hyakuhei> oh hai guys
17:31:46 <lhinds> oh hey hyakuhei !
17:31:53 <hyakuhei> OSSN triggered my flag ;)
17:32:32 <lhinds> for security-docs, I have got the release notes in for Pike and updated the disclaimer text at the start.
17:32:39 <hyakuhei> looks like 81 is GTG ?
17:32:45 <lhinds> we also have the key management section we will go over at the PTG
17:33:04 <lhinds> raildo: anything on custodia?
17:34:16 <lhinds> for anyone interested there is a custodia session in the barbican room, and its going forward as an oslo driver
17:34:41 <lhinds> https://github.com/latchset/custodia
17:34:55 <lhinds> it solves the plain text passwords in config files issue
17:35:45 <gagehugo> there's an oslo spec for that right?
17:35:47 <lhinds> ok, I think we can wrap up as we are over time..unless any other points / biz?
17:36:55 <lhinds> hyakuhei (thanks rgding 81, just seen your msg)
17:37:17 <lhinds> ok, thanks all..much appreciate you attending.
17:37:26 <lhinds> see you next week!
17:37:30 <hyakuhei> Cheers
17:37:35 <raildo> sorry, I'm a little bit late
17:37:37 <hyakuhei> Does anyone have any experience with Custodia ?
17:37:47 <hyakuhei> Reads like a discount HC Vault ?
17:37:49 <lhinds> ok, lets go a little longer :P
17:38:03 <hyakuhei> oh it's more of an API
17:38:13 <lhinds> hyakuhei: raildo can give a 101
17:38:24 <hyakuhei> Meh, this isn't security project specific, call it if you want boss!
17:38:41 <gagehugo> hyakuhei we used it as a middleware for storing plain-text values in barbican
17:38:53 <gagehugo> oslo.config -> custodia -> barbican
17:38:58 <hyakuhei> interesting
17:39:17 <lhinds> hyakuhei: https://etherpad.openstack.org/p/oslo-ptg-queens
17:39:22 <gagehugo> there are still unsolved issues, but it's a good step forward worth pursuing imo
17:39:27 <lhinds> *see " Pluggable drivers and Protecting Plaintext Secrets"
17:39:55 <gagehugo> and the point is you can write drivers for other backends too, so you can s/barbican/vault
17:40:03 <gagehugo> or w/e you like
17:40:37 <raildo> hyakuhei, so, Custodia is basically an secrets-as-a-service API, to transport and routing secrets in a proper way, there is a storage layer abstraction, when Custodia support FreeIPA value, sqlite, etcd, and we add support to Barbican during integration work
17:40:54 <gagehugo> raildo I'll try to get in the room for that oslo topic
17:41:11 <lhinds> gagehugo +1
17:41:24 <lhinds> also of interest to others might be 'Support for external PDP'
17:41:41 <gagehugo> yeah I need to make myself a schedule heh
17:41:52 <hyakuhei> Sounds interesting, I wonder if it'll run into the same issues as Castellan around identity and how AuthN/Z gets messy with such abstractions
17:42:05 <raildo> gagehugo, that's awesome, we are discussing with the tripleo team, to having the discussion related to the oslo.config stuff on it
17:42:27 <gagehugo> raildo nice
17:43:46 <dave-mccowan> i'd like to see Barbican as a consumer of Custodia.  It would be a nice place for us to store the master KEK.  (of course that wouldn't make much sense if we're also the backend)
17:44:00 <raildo> hyakuhei, it's not, since Custodia works with pluggable authentication and authorization methods, actually, we don't want to use Keystone auth stuff, since we need to store keystone secrets either
17:44:17 <hyakuhei> Excellent
17:44:40 <hyakuhei> So it looks like a secrets abstraction layer, so you can write your software to talk "Custodia" and it takes care of plugging into x/y/z secrets management
17:44:48 <hyakuhei> Obviously useful for OpenStack
17:45:06 <hyakuhei> I wonder if it would be useful for Kube too, they're still working out how to do secrets management nicely.
17:45:15 <raildo> hyakuhei, ++
17:45:37 <raildo> hyakuhei, we have the same Custodia support for docker and kubernetes
17:46:03 <raildo> hyakuhei, that's the idea to have multiple backends for multiple purposes
17:46:22 <hyakuhei> Certainly sounds interesting :)
17:46:29 <gagehugo> yeah that sounds interesting if it works with k8s
17:46:31 <hyakuhei> Thanks for the 101
17:46:50 <raildo> hyakuhei, so, I'm looking for using Barbican for fit better on OpenStack scenario, but Custodia have a kind if multitenancy support, to having different auth and storage methods
17:47:06 <raildo> hyakuhei, sure, anytime, I hope to explain it better in the PTG
17:47:53 <lhinds> cool, thanks raildo !
17:48:18 <lhinds> ok, so lets close for now..but some good conversations today and thanks all for your attendance.
17:48:46 <lhinds> #endmeeting