15:00:42 #startmeeting security 15:00:43 Meeting started Thu Sep 19 15:00:42 2019 UTC and is due to finish in 60 minutes. The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:00:44 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 15:00:47 The meeting name has been set to 'security' 15:01:11 hi 15:01:14 #link https://etherpad.openstack.org/p/security-agenda #agenda 15:01:31 o/ 15:01:39 o/ 15:02:13 Will start in a couple mins 15:02:20 a deh'ya, mon 15:05:21 ok 15:05:38 #topic Deleted user still can delete volumes in Horizon 15:06:14 #link https://bugs.launchpad.net/horizon/+bug/1842930 15:06:15 Launchpad bug 1842930 in OpenStack Dashboard (Horizon) "Deleted user still can delete volumes in Horizon" [High,Confirmed] 15:07:17 this is one place help would be welcomed 15:07:49 it seems we used to have some prominent documentation about the impact of caching authentication and authorization responses, but that has been lost in rewrites 15:08:01 it also may be worthwhile to mention in the security guide 15:08:42 it seems to at least violate the principle of least surprise where user deletion is concerned 15:08:44 agreed 15:09:25 at a minimum, anywhere we document recommendations around token caching, the caveats should be clearly spelled out 15:10:12 yeah 15:11:08 it would be good to clearly define this in both Horizon and the Security Docs 15:12:52 do you know where/when the old version of those docs were? 15:14:47 https://docs.openstack.org/horizon/latest/configuration/settings.html#session-timeout 15:14:50 that's the latest 15:16:25 The issue with viewing older docs is they tend to move pages around between releases 15:16:37 https://docs.openstack.org/horizon/ocata/topics/settings.html#session-timeout 15:21:13 #topic Open Discussion 15:21:22 Floor is open if anyone has anything else 15:22:08 one from me 15:22:22 #link https://bugs.launchpad.net/ossp-security-documentation/+bug/1703353 15:22:23 Launchpad bug 1703353 in OpenStack Security Guide Documentation "Need sections on api audit / cadf" [High,Confirmed] 15:22:51 yeah, I have a sticky note for that 15:23:10 I've read through the linked docs and have a rough idea of what audit middleware does 15:23:27 but not sure what kind of recommendations need to be made 15:23:40 other than "its important and you should use it" :P 15:24:13 basically that, it could also be good to point out the oslo drivers, ie rabbit vs log file 15:24:28 that the audit middleware outputs to 15:25:05 so admins need to decide which format/destination they want to use? 15:25:39 operators yeah 15:26:04 ok 15:26:23 doesn't seem like a much content, I should be able to draft something next week 15:26:37 I would also do something like the keystone cadf docs do, and point out the structure of a sample CADF notification 15:26:52 sure 15:27:23 so, something like "it contains the timestamp, API path, user_id, etc" 15:27:59 because auditors often require this information, and it would be helpful imo to point out what info these notifications have 15:28:08 nickthetait: I can help co-author part of that too 15:28:21 sounds good 15:29:00 as someone who's set it up for their organization :p 15:29:19 anything else? 15:29:25 i'm good 15:31:01 nope 15:33:00 thanks for coming everyone! 15:33:03 #endmeeting