15:03:47 <gagehugo> #startmeeting security
15:03:47 <openstack> Meeting started Thu Jul 25 15:03:47 2019 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:03:48 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:03:50 <openstack> The meeting name has been set to 'security'
15:03:55 <fungi> aloha
15:04:01 <gagehugo> sorry still in a meeting
15:04:08 <fungi> no worries, me too ;)
15:04:10 <mhen> o/
15:04:12 <gagehugo> Should be done soon
15:04:15 <gagehugo> o/
15:06:50 <fungi> #link https://etherpad.openstack.org/p/security-agenda Security SIG Weekly Meeting Agenda
15:07:28 <gagehugo> thanks, I was failing on my phone
15:08:03 <fungi> no worries, there's another bugset i can add
15:08:07 <gagehugo> #topic CIDR's of the form 12.34.56.78/0 should be an error Edit
15:08:21 <gagehugo> #link https://bugs.launchpad.net/horizon/+bug/1837339
15:08:22 <openstack> Launchpad bug 1837339 in OpenStack Security Advisory "CIDR's of the form 12.34.56.78/0 should be an error" [Undecided,Incomplete]
15:09:00 <gagehugo> Looks like this is a good security hardening opportunity
15:11:24 <gagehugo> If interested, feel free to take a look
15:11:59 <gagehugo> #topic IFLA_BR_AGEING_TIME of 0 causes flooding across bridges
15:12:08 <gagehugo> #link https://bugs.launchpad.net/os-vif/+bug/1837252
15:12:09 <openstack> Launchpad bug 1837252 in os-vif "IFLA_BR_AGEING_TIME of 0 causes flooding across bridges" [High,Confirmed] - Assigned to sean mooney (sean-k-mooney)
15:12:09 <fungi> yeah, at the moment it's in a good place to weigh in on what you think the correct user interface is for horizon's handling of cidrs
15:12:17 <fungi> 1837339 i mean
15:12:44 <fungi> 1837252 got brought to my attention today
15:14:03 <gagehugo> yeah I will take a look at it today
15:14:28 <fungi> there's also another linked in the agenda which was known as a potential vulnerability for a while (via one of its marked duplicates), and seems to have very similar symptoms but is thought to stem from somewhere else
15:14:59 <gagehugo> ah ok
15:15:09 <gagehugo> #link https://bugs.launchpad.net/neutron/+bug/1732067
15:15:10 <openstack> Launchpad bug 1732067 in neutron "openvswitch firewall flows cause flooding on integration bridge" [High,In progress] - Assigned to LIU Yulong (dragon889)
15:16:28 * gagehugo will read those later
15:16:41 <gagehugo> fungi: anything else to add to those?
15:17:00 <fungi> nothing i haven't already put in comments on the bugs themselves, no
15:17:05 <gagehugo> ok
15:17:12 <gagehugo> #topic open discussion
15:17:28 <gagehugo> floor is open if anyone has anything
15:17:28 <fungi> assistance in reproducing/fixing those public reports would be most appreciated
15:17:33 <gagehugo> ^
15:17:37 * mhen raises hand
15:17:39 <fungi> especially figuring out whether they're related
15:18:08 <mhen> I'd like to discuss a topic regarding API policy files
15:19:45 <mhen> recently I tried enforcing non-default rules in Cinder and Nova and happened to notice that: 1) Nova only accepted json but not yaml and 2) Cinder did accept only yaml but not json for the policy.yaml or policy.json respectively
15:20:22 <gagehugo> interesting
15:20:24 <mhen> Cinder does override [1] the default from oslo policy [2], whereas Nova doesn't seem to do that
15:20:36 <mhen> [1] https://github.com/openstack/cinder/blob/0ec28f84289490c80688a58244e091224c9c8393/cinder/policy.py#L31
15:20:55 <mhen> [2] https://github.com/openstack/oslo.policy/blob/1e3f81c89b49451bd4c32a12f5a338441c5c1e56/oslo_policy/opts.py#L38
15:21:32 <gagehugo> cinder's commit for that was https://github.com/openstack/cinder/commit/8c132193923168150fdc7f62a20e2d887cde723b
15:22:06 <mhen> So if an operator/provider deploys their own policy files and doesn't pay attention, one of their files might be ignored without them immediately noticing
15:22:39 <mhen> if you search online, there is much talk about the json or yaml but it's hard to find a resource telling you exactly where to use which
15:23:01 <gagehugo> I thought there was a movement a while ago to use yaml, but I could be remembering that wrong
15:23:11 <gagehugo> obv still supporting json
15:23:23 <bnemec> yaml was preferred because it allows comments
15:23:39 <gagehugo> ah yeah
15:23:53 <mhen> yaml has advantages, but simply ignoring a supplied json silently doesn't look good to me
15:23:59 <bnemec> So it's what we're shipping for sample policy configs because it allows us to inline the description text.
15:24:37 <bnemec> Agreed that neither should be ignored though. Both are still supported.
15:24:46 <nickthetait> this does sound like a security bug to me
15:25:16 <gagehugo> could open one against cinder and nova and get to the bottom of this
15:25:20 <mhen> note: you can change this in the respective components config (e.g. nova.conf) but the problem here is that the defaults are different
15:25:22 <gagehugo> mhen: what release are you using?
15:25:35 <mhen> gagehugo, queens currently
15:25:41 <gagehugo> ok
15:25:41 <mhen> but looked up the code in master
15:26:00 <mhen> seems to be no different in master either, see links above
15:26:14 <mhen> Nova says json: https://github.com/openstack/nova/blob/a37a035c9d359b29fed6ea08bc99b93e51164e61/doc/source/configuration/index.rst
15:26:52 <gagehugo> their documentation might need updating
15:27:01 <gagehugo> their policy generator says policy.yaml
15:27:02 <gagehugo> https://github.com/openstack/nova/blob/master/etc/nova/nova-policy-generator.conf
15:27:51 <mhen> gagehugo, but I wasn't able to find the overriding part in Nova as found in Cinder, so Nova falls back to json as per oslo.policy code if I got that right
15:28:17 <mhen> see [1] and [2] above
15:28:49 <gagehugo> ok
15:29:10 <mhen> at least that's what I observe in queens right now and looking at the code, in master it hasn't changed
15:29:45 * gagehugo takes notes of all this
15:31:27 <mhen> thanks
15:31:31 <gagehugo> mhen: ok, I can dig into this a bit
15:32:25 <mhen> thank you!
15:32:49 <gagehugo> thanks for bringing this up!
15:32:52 <gagehugo> anything else?
15:32:55 <nickthetait> I have a bit of news on security guide updates
15:33:28 <nickthetait> submitted first few patches https://review.opendev.org/#/q/is:open+owner:nickthetait
15:33:41 <gagehugo> nice
15:33:45 <nickthetait> pretty minor stuff so far, needing reviews
15:34:20 <nickthetait> and one quick questions, is this "future" section right at the bottom of this page still needed? https://docs.openstack.org/security-guide/identity/federated-keystone.html
15:34:33 <gagehugo> I'll take a look
15:34:48 <gagehugo> nickthetait: I can ask in keystone
15:34:57 <nickthetait> thx
15:35:10 <nickthetait> thats all I have
15:35:23 <gagehugo> thanks!
15:35:27 * gagehugo needs to run
15:35:37 <gagehugo> thanks everyone! have a good rest of the week
15:35:40 <gagehugo> #endmeeting