#openstack-meeting log

15:00:42 <gagehugo> #startmeeting security
15:00:43 <openstack> Meeting started Thu Sep 19 15:00:42 2019 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:44 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:47 <openstack> The meeting name has been set to 'security'
15:01:11 <nickthetait> hi
15:01:14 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda #agenda
15:01:31 <mhen> o/
15:01:39 <gagehugo> o/
15:02:13 <gagehugo> Will start in a couple mins
15:02:20 <fungi> a deh'ya, mon
15:05:21 <gagehugo> ok
15:05:38 <gagehugo> #topic Deleted user still can delete volumes in Horizon
15:06:14 <gagehugo> #link https://bugs.launchpad.net/horizon/+bug/1842930
15:06:15 <openstack> Launchpad bug 1842930 in OpenStack Dashboard (Horizon) "Deleted user still can delete volumes in Horizon" [High,Confirmed]
15:07:17 <fungi> this is one place help would be welcomed
15:07:49 <fungi> it seems we used to have some prominent documentation about the impact of caching authentication and authorization responses, but that has been lost in rewrites
15:08:01 <fungi> it also may be worthwhile to mention in the security guide
15:08:42 <fungi> it seems to at least violate the principle of least surprise where user deletion is concerned
15:08:44 <gagehugo> agreed
15:09:25 <fungi> at a minimum, anywhere we document recommendations around token caching, the caveats should be clearly spelled out
15:10:12 <gagehugo> yeah
15:11:08 <gagehugo> it would be good to clearly define this in both Horizon and the Security Docs
15:12:52 <nickthetait> do you know where/when the old version of those docs were?
15:14:47 <gagehugo> https://docs.openstack.org/horizon/latest/configuration/settings.html#session-timeout
15:14:50 <gagehugo> that's the latest
15:16:25 <gagehugo> The issue with viewing older docs is they tend to move pages around between releases
15:16:37 <gagehugo> https://docs.openstack.org/horizon/ocata/topics/settings.html#session-timeout
15:21:13 <gagehugo> #topic Open Discussion
15:21:22 <gagehugo> Floor is open if anyone has anything else
15:22:08 <nickthetait> one from me
15:22:22 <nickthetait> #link https://bugs.launchpad.net/ossp-security-documentation/+bug/1703353
15:22:23 <openstack> Launchpad bug 1703353 in OpenStack Security Guide Documentation "Need sections on api audit / cadf" [High,Confirmed]
15:22:51 <gagehugo> yeah, I have a sticky note for that
15:23:10 <nickthetait> I've read through the linked docs and have a rough idea of what audit middleware does
15:23:27 <nickthetait> but not sure what kind of recommendations need to be made
15:23:40 <nickthetait> other than "its important and you should use it" :P
15:24:13 <gagehugo> basically that, it could also be good to point out the oslo drivers, ie rabbit vs log file
15:24:28 <gagehugo> that the audit middleware outputs to
15:25:05 <nickthetait> so admins need to decide which format/destination they want to use?
15:25:39 <gagehugo> operators yeah
15:26:04 <nickthetait> ok
15:26:23 <nickthetait> doesn't seem like a much content, I should be able to draft something next week
15:26:37 <gagehugo> I would also do something like the keystone cadf docs do, and point out the structure of a sample CADF notification
15:26:52 <nickthetait> sure
15:27:23 <gagehugo> so, something like "it contains the timestamp, API path, user_id, etc"
15:27:59 <gagehugo> because auditors often require this information, and it would be helpful imo to point out what info these notifications have
15:28:08 <gagehugo> nickthetait: I can help co-author part of that too
15:28:21 <nickthetait> sounds good
15:29:00 <gagehugo> as someone who's set it up for their organization :p
15:29:19 <gagehugo> anything else?
15:29:25 <nickthetait> i'm good
15:31:01 <mhen> nope
15:33:00 <gagehugo> thanks for coming everyone!
15:33:03 <gagehugo> #endmeeting