18:00:39 #startmeeting OpenStack Security Group 18:00:39 Meeting started Thu Apr 24 18:00:39 2014 UTC and is due to finish in 60 minutes. The chair is bdpayne. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00:40 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 18:00:43 The meeting name has been set to 'openstack_security_group' 18:00:47 greetings everyone 18:00:51 Hello 18:00:54 bdpayne: hi 18:01:01 #topic Rollcall 18:01:03 hi 18:01:07 hi all 18:01:07 hi 18:01:08 Paul Montgomery 18:01:08 part 18:01:09 hello! 18:01:22 Scott @ PayPal 18:01:23 * hyakuhei here :D 18:01:32 Hey malini1 ! 18:01:47 hi everyone, thanks for joining today 18:01:48 and here 18:01:51 #topic Agenda 18:02:04 Anything that people would like to add to the agenda today? 18:02:04 here 18:02:12 howdy 18:02:13 her 18:02:15 here* 18:02:38 Busy one today. I don't have much to update - other than I'm working on an update to the guide 18:02:57 I can provide a brief status update on the book 18:02:57 Has anything happened in the threat analysis this week? 18:03:07 yes, 18:03:22 ok, so we can talk about the threat analysis work too 18:03:28 we had a new template, not much outside 18:03:35 and we should do a review of open OSSNs 18:03:51 anything else? 18:03:57 Hi Everybody 18:04:08 ok, let's dive in 18:04:19 #topic Book updates 18:04:32 So I've started coordinating the book update efforts 18:04:44 Cool! Man it hurts to edit this xml. 18:04:44 Right now I'm taking a little time to assess what needs to happen 18:04:56 If anyone has specific asks, please let me know 18:04:59 it shouldn't be painful to write docs 18:05:03 either here, or just by email 18:05:08 is it the tool? 18:05:22 The xml isn't bad... he just likes to complain ;-) 18:05:26 So there's probably a good tool to use but editing the files directly... 18:05:36 Hurts my (small) brain. 18:05:37 it is all in docbook 18:05:40 ...speaking of XML, I do want to talk about OSSN format 18:05:46 @bdpayne we'd like to start to provide enterprise guidance around PCI and compliance, should we consider that part of the book or separate white paperish thing. 18:05:48 sure, we can talk OSSN in a few 18:06:11 ScottCarlsonPP that would be a nice addition to the compliance section of the book 18:06:24 bdpayne: need to make references to the glossay in the book text 18:06:36 perhaps you can send me an email to coordinate moving ahead on that contribution? 18:07:00 #action references the references in the book 18:07:00 bdpayne will do 18:07:27 ScottCarlsonPP: There's plenty that can be added to the existing compliance section too, especially around PCI 18:07:30 #action ScottCarlsonPP to contact bdpayne about compliance updates in the book (PCI and enterprise compliance) 18:07:47 #action bdpayne to review state of glossary and references in the book 18:08:10 what is everyone's feeling around: http://summit.openstack.org/cfp/details/8, "signing messages" to improve security of the rpc 18:08:16 hyakuhei did you mention you have a book update that you're working on? 18:08:34 malini1 let's discuss that at the end 18:08:46 I'd like to keep us focused on the current agenda item atm 18:09:10 :-) yes 18:09:12 yeah just this https://bugs.launchpad.net/openstack-manuals/+bug/1311204 18:09:13 Launchpad bug 1311204 in openstack-manuals "Security Guide should discuss KSM impact" [High,Triaged] 18:09:39 ah fantastic 18:09:46 let me know when you are ready for reviews there 18:10:01 Will do, it'll need a few iterations of review, the writing is pretty crappy 18:10:01 #action hyakuhei is working on https://bugs.launchpad.net/openstack-manuals/+bug/1311204 18:10:20 np 18:10:25 any other book discussion today? 18:10:36 my OSSN format stuff fits in with the book 18:10:45 #topic Moving to OSSN 18:10:55 ok, let's cover some OSSN stuff 18:11:05 I've been playing around with the best way to get the OSSNs to be published in an appendix of the book 18:11:32 This is going to require docbook XML, and that may just be the right format to write and commit them in 18:11:49 perhaps 18:12:01 certainly the easiest 18:12:06 There is a docbook "article" type, and I've manually converted one note to try it out 18:12:13 not the easiest for sure 18:12:14 otherwise, we could translate from a slightly less structured format into docbook 18:12:21 ...but, we need to have ways to translate 18:12:38 if we play it right, the docbook could then be converted into all of the formats that we need / want 18:12:38 we can use RST and translate to XML possibly too 18:12:39 nkinder: OSSN currently in markdown format , it should be easy to covert docbook? 18:12:47 nkinder: can you post the docbook example somewhere? 18:12:54 e.g., gerrit 18:13:08 http://johnmacfarlane.net/pandoc/ 18:13:20 ^^ converts from docbook to markdown and back again 18:13:21 bknudson: I haven't yet, but I can. I was still hashing through details with anne 18:13:39 bdpayne: ok, I'll take a look at that. I would prefer to edit in markdown or RST or something other than XML 18:13:56 so I would say either switch to docbook or explore tools to automate the conversion from markdown... if the later then we should validate that conversion using gerrit 18:14:04 the gate jobs can then ensure that convert properly, and publishing can convert and publish 18:14:14 nkinder, yes I agree and I think that sticking with markdown is a good idea 18:14:20 exactly 18:14:44 #action nkinder to explore conversion from markdown to docbook using the gate jobs 18:14:46 I'll continue to hash out the right docbook end result with anne, then will figure out how we can translate 18:14:52 thats would be great 18:14:57 so getting it in docbook is step1 18:15:07 any thoughts on how to go from there to actually having it in the book appendix? 18:15:15 If we auto publish to the book, do we even need to publish on the wiki? 18:15:16 i am currently coverting doc and xls to markdown format 18:15:37 bdpayne: well, that's part of what I'm discussing with Anne. There are ways to do an include, but we need to hash out the details. 18:15:39 I think that putting it on the wiki is handy 18:16:00 but we should balance that against the amount of manual work 18:16:03 but the docs are on the wiki too 18:16:11 ideally, I'd like an approved OSSN to auto publish to all the right places 18:16:32 +1 to also have on wiki instead of having to download full book 18:16:33 We would have to see what sort of auto wiki publishing is available. Next steps after the book. 18:16:37 right but I'm not sure if people will look into the back of the book to find an OSSN 18:16:55 We still need to e-mail them out regardless 18:17:12 #action nkinder to continue to explore right path for integration of OSSNs into book appendix 18:17:13 hopefully there's a docbook rendering to text 18:17:31 we render to html and to pdf by default 18:17:40 but docbook can render to lots of different formats 18:17:48 bknudson: or markdown to text if we write in markdown 18:17:57 ok, I have lots to explore here :) 18:18:01 indeed 18:18:05 thanks for taking this on nkinder 18:18:08 sure 18:18:16 are there any open OSSNs at this point? 18:18:18 +1 - very useful 18:18:21 There are 2 18:18:39 one is owned by hyakuhei, the other has someone who was interested and then disappeared 18:18:42 https://bugs.launchpad.net/ossn 18:19:01 so which one needs an owner? 18:19:18 So one is up for grabs if anyone is interested - https://bugs.launchpad.net/ossn/+bug/1260679 18:19:21 Launchpad bug 1260679 in cinder "Multiple drivers set insecure file permissions" [High,In progress] 18:19:35 It's a pretty easy one I think 18:19:49 any takers? 18:20:08 if easy, i shall take! 18:20:10 is everyone familiar with what is involved here? 18:20:16 ok, thanks malini1 18:20:24 malini: thanks! 18:20:30 fwiw, writing an OSSN is pretty easy and we have gentle reviewers ;-) 18:20:36 it's a great way to get involved 18:20:38 We could possibly do with a mini version of the 'GerritWorkflow' page 18:20:40 :-) 18:20:50 malini1: I can help through the process if needed. Just let me know. 18:21:17 #action malini1 to work on https://bugs.launchpad.net/ossn/+bug/1260679 18:21:18 Launchpad bug 1260679 in cinder "Multiple drivers set insecure file permissions" [High,In progress] 18:21:27 thanks nkinder! 18:21:34 ok anything else for OSSNs? 18:21:49 #topic Threat analysis update 18:22:01 shohel02 could you provide an update for us? 18:22:19 Yes, i have started to covert doc and XLS format to markdown format 18:22:40 we think its an issue for reviewing and tracking 18:22:44 excellent 18:22:52 you may find that tool I linked earlier to be useful too 18:22:53 https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/Project_ThreatAnalysis_ComponentName_Number.md 18:23:00 here is some sample 18:23:15 https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/Formatted_Output/Keystone_ThreatAnalysis_TokenProvider_2.9.md 18:23:32 https://github.com/shohel02/OpenStack_Threat_Modelling/blob/master/keystone/Formatted_Output/Keystone_ThreatAnalysis_HighLevel.md 18:24:01 excellent 18:24:16 Another thing is david,HP and our threat analysis involved people are planning to go through the threat process again 18:24:29 that would be good reivew 18:24:33 sounds good 18:24:37 any other next steps? 18:24:48 or areas where you need help from the group? 18:25:02 bknudson: has anyone on the keystone core side been reviewing the threat analysis? 18:25:04 One of the step is after markdown complete help is required from keystone developers 18:25:30 shohel02: just for review, or anything else in particular? 18:25:31 nkinder: I believe I mentioned the auth_token threat analysis at the keystone meeting once 18:25:32 here we need help 18:26:04 thanks.. 18:26:15 yeah, it would be great to get someone(s) from keystone core to be involved 18:26:22 to make sure that the ideas are represented accurately 18:26:27 yes 18:26:32 and to perhaps just open a communication channel 18:26:44 ok, so a review at first, but I expect that some proposed improvements can come out of the analysis as well 18:27:00 i think OSSG people can also review the threats and docs 18:27:02 I'm hoping things will settle down here soon so I can get more involved in security work 18:27:13 yeah, and also to help keep the proposed improvements as things that are doable 18:27:17 bknudson, I'm in the same boat. 18:27:24 I think everyone is :) 18:27:30 heh 18:27:40 ok, thanks for the update shohel02 18:27:42 I can help review too since I've been developing more on keystone too 18:27:46 anything else on threat analysis? 18:27:48 * morganfainberg is in-fact here, just quiet. 18:27:52 thats great 18:28:06 thats all 18:28:09 #topic Open Discussion 18:28:20 malini1 asked about http://summit.openstack.org/cfp/details/8 18:28:27 perhaps we start there 18:28:36 I'm pretty familiar with that effort 18:28:42 I know that this and related issues have come around at each summit for the past several 18:28:53 malini1: Was there something in particular you wanted to know? 18:29:00 Earlier there was a kerberos like effort from Simo but this is lighter weight 18:29:33 and in conjunction with us keeping certs in barbican, thius is lighter weight 18:29:37 at a high level, this sounds good but it is all in the details for stuff like this 18:29:46 I'd like to attend this session and learn more 18:29:59 Kinda feels like PGP re-invented with x509 18:30:07 central registry etc. 18:30:12 here's some background... 18:30:26 The Kite project is the first step, which uses symmetric crypto 18:30:54 lots of low-level detail is here - https://wiki.openstack.org/wiki/MessageSecurity 18:31:05 is kite planned for juno? 18:31:23 bknudson: it's going into barbican, but my guess is that it will be at a POC level for Juno 18:31:24 going to be part of identity or barbican? 18:31:38 it will require changes on the oslo.messaging side to use it 18:31:58 it has some caveats for group messaging though, which is where PKI might help out 18:32:17 I covered this pretty well in the API doc for Kite/KDS 18:32:58 * bdpayne notes the time, but doesn't believe the meeting room is in use for another 30 min... 18:32:58 I have some slides and diagrams on how it works that might be of interest to folks too 18:33:20 nkinder I'd certainly be interested 18:33:21 :-) 18:33:29 +1 for slides 18:33:30 ok, let me dig up the API doc 18:33:33 perhaps you can send something out to the ML 18:33:37 will do 18:33:41 Yes please. 18:33:47 me too 18:33:48 warning that it's a lot of slides as it was made for an in-person preso 18:33:49 looked like the conference would have rooms for each project -- is there one for security? 18:33:57 so the diagrams are useful, but the words are sparse 18:34:00 security won't have a room 18:34:10 who here is going to be at the summit? 18:34:10 but we do have a session in the cross project room 18:34:12 hang out in identity room 18:34:26 Maybe I can present it to OSSG folks outside of a session 18:34:27 I tend to hang out with Keystone and, these days, Barbican 18:34:37 o/ I will be at the summit 18:34:41 nkinder: yeah something like that might work 18:34:43 I have a topic that I would like to bring up 18:34:53 * ScottCarlsonPP is at summit. doing a presentation PayPal and "is your cloud compliant" 18:35:01 will be in the summit 18:35:03 elo go for it 18:35:16 malini at summit too 18:35:26 are we aware of the open policy framework being worked on called Congress 18:35:37 I'll be at he Summitt 18:35:38 #action bdpayne to schedule an OSSG meetup at the summit 18:35:55 I am not aware of Congress 18:36:37 https://wiki.openstack.org/wiki/Congress 18:36:40 it's still in the early stage and some of the developers are trying to get people more involved to get it to incubation status 18:37:08 it is provide policy as a service across different cloud services 18:37:16 https://wiki.openstack.org/wiki/Congress 18:37:29 who is driving this effor? 18:37:35 elo -- would that mean policy move out of keystone? 18:37:38 s/effor/effort/ 18:37:39 Peter Ballard 18:38:00 policy is sort of out of keystone AFAIK 18:38:16 keystone defines roles and policy for keystone, but everyone else has their own policy.json, right> 18:38:18 policy in OSLO 18:38:18 the policy code was moved to oslo 18:38:24 and a few other developers at VMware.. and a few other developers at other companies 18:38:30 soemthing coming up in barbican is control access at the level of each key on the basis of domain/project/user 18:38:36 every project has their own policy.json 18:39:02 it seems that policy is in each project and there isn't a common broker… we should look into this a little more 18:39:15 https://wiki.openstack.org/wiki/Congress 18:39:31 elo: it's an interesting effort, but it's going to take buy-in from all of the projects 18:39:34 so is this for the control plane or for the guests? 18:39:51 oh, and getting this stuff right is... hard 18:39:55 very 18:40:14 also, does every service have to go to congress to check policy every time? 18:40:35 if so, it becomes a bottleneck. So in comes caching, etc. 18:40:40 no, services have to send lobbyists to congress on their behalf. 18:40:45 LOL 18:41:04 :-D 18:41:04 ha 18:41:27 its very open and flexible, so it really is how things are configured to leverage it… 18:41:34 so, interesting project with lots of open questions 18:41:48 could be interesting to chat to the people working with this at the summit 18:41:53 correct… i just want to make sure people are aware of it on this list. 18:41:57 yeah, thanks 18:42:03 there will be an unconference on it I know 18:42:08 ahh, handy 18:42:16 One more thing on the secure messaging topic. The API doc I mentioned is here - https://github.com/stackforge/kite/blob/master/doc/source/api/v1.rst 18:42:29 this sounds like something that needs to have terms defined very succinctly. there's a lot of definitions of this stuff out there. scares me a bit that implementation directives won't match between plugins 18:42:36 The beginning covers the use-case and how things work pretty well, so it's good reading if you want to know more about it. 18:42:51 ...of course I'm biased since I wrote a good chunk of it :) 18:44:31 cool, I'll check it out 18:44:33 @nkinder there are several models in Congress: proactive, reactive, interactive, so once policies are set congress may act proactively, react to request from other modules, or work on behalf of additional admin decisions 18:44:36 any other business ? 18:44:42 is secure messaging more than using SSL for qpid/kombu/whatever? 18:45:03 bknudson: yes, absolutely 18:45:26 bknudson: SSL is for encryptin gthe communication with the broker 18:45:36 the broker can then read (and modify) the message contents 18:45:50 secure messaging means the sender encrypts/signs for the recipient(s) 18:46:03 the broker does not need to be trusted, and it can't tamper with the message contents 18:46:34 bknudson: I'll send out my slides. I have nice diagrams that show the difference between broker SSL/TLS and what Kite does 18:46:34 let's taking the PKI for messaging discussion to the mailing list 18:46:39 which of course means you need to know the current keys for the destination 18:46:48 I think that it will be of broad interest 18:46:54 and we should probably wrap things up here 18:46:59 hyakuhei: short lived tickets... That's where Kite comes in 18:47:05 ok, enough here. :) 18:47:05 nkinder: slides would be great. thanks 18:47:12 thanks everyone 18:47:17 thanks all! 18:47:21 #endmeeting