14:05:20 <jaosorior> #startmeeting OPNFV Security Group 14:05:20 <collabot> Meeting started Wed May 6 14:05:20 2015 UTC. The chair is jaosorior. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:05:20 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic. 14:05:20 <collabot> The meeting name has been set to 'opnfv_security_group' 14:06:07 <jaosorior> still figuring out how the actions work in this 14:06:55 <jaosorior> alright 14:06:57 <mwinandy> I think you simply set the topic with the topic command, then we info about it 14:07:05 <jaosorior> ah, fair enough 14:07:37 <jaosorior> still figuring out what the next topic will be though, there is not much info in the etherpad 14:07:53 <aripie> #topic agenda 14:07:53 <jaosorior> I could bring up inspector stuff in a bit. Got anything on your side mwinandy? 14:08:00 <jaosorior> #topic Agenda 14:08:33 <mwinandy> some info about getting in touch with Moon 14:09:01 <jaosorior> Alright, so I guess mostly we will touch Moon and then inspector, that sounds fair enough? 14:09:46 <aripie> I am good with that 14:09:52 <jaosorior> #agreed Agenda 14:10:02 <jaosorior> #topic Moon 14:10:22 <jaosorior> So, what's up mwinandy? 14:10:41 <mwinandy> #info discussed with Ruan He (Orange) about how to contribute to Moon 14:11:20 <jaosorior> Do you know if the main contributors to Moon will be in the OpenStack summit? 14:11:35 <mwinandy> hm, don't know 14:12:07 <mwinandy> #info they are preparing to revise the proposal 14:12:12 <jaosorior> It would probably be appropriate to sync there 14:12:17 <jaosorior> alright 14:12:53 <jaosorior> What's missing from their proposal? 14:13:05 <mwinandy> #info I had a look at a running demo of Moon. It supports RBAC and MLS access policies for users/tenants on OpenStack currently. 14:13:39 <mwinandy> not clear what's missing, I'll try to find out :) 14:13:53 <jaosorior> How does it relate to keystone? 14:14:29 <mwinandy> #info Moon prototype code is currently standalone, but should be an extension for Keystone in next release. 14:14:33 <jaosorior> And, do you know if Moon has its own timeslot for meetings? If not, maybe they should bring up some stuff here too 14:14:59 <jaosorior> mwinandy: an extension for what? for the assigment or the identity backend? 14:15:16 <jaosorior> or is it gonna replace the policy engine? 14:16:13 <mwinandy> #info Moon will not replace policy engine, instead using existing one. But adds policy configuration and policy decision point. 14:16:30 <jaosorior> I see 14:16:50 <mwinandy> As you ask (and others) these questions, I think that is what should be added to the proposal and make more clear. 14:17:09 <jaosorior> I think the best thing would be to try to get them involved in the security group, probably some people here will have questions 14:17:16 <jaosorior> at least I do 14:17:34 <mwinandy> yes, let's invite them to join 14:17:47 <jaosorior> #action Invite the contributors to the Moon project to the next Security Group meeting 14:17:57 <mwinandy> I think Moon can be an important part of the opnfv security architecture. 14:18:06 <aripie> moon is not listed on opnfv meetings page 14:18:52 <jaosorior> I'll send a mail to the list and openly invite them to the next meeting 14:19:11 <jaosorior> mwinandy: thanks for the info. Anything else you wanna share regarding that? 14:19:23 <mwinandy> #info OpenStack has a lot of modules, each with their own (security) config. Moon wants to build a centralized policy management for all things in OpenStack, SDN controller, etc. Also place hooks in those components that they can directly enforce dynamic changes in the policy. 14:20:10 <jaosorior> * digging out a relevant link* 14:21:00 <jaosorior> #link http://www.mail-archive.com/openstack-dev@lists.openstack.org/msg52144.html 14:21:49 <jaosorior> #info that is worth a read, one of the keystone core-devs gives a really good insight about how policy works and some relevant aspects to take into account 14:22:00 <jaosorior> It would be very beneficial for the moon project if they properly sync with the guys from Keystone 14:22:00 <mwinandy> good! 14:22:34 <jaosorior> At least he agrees on the dynamic/centraliced policy 14:22:42 <jaosorior> as stated: ") Making the policy centrally sourced (i.e. in keystone) and more dynamic seems eminently sensible." 14:22:48 <mwinandy> I'm going to be involved, so I will take that. 14:23:00 <B_Smith> Is there a link describing moon? 14:23:12 <mwinandy> #link https://wiki.opnfv.org/moon 14:23:12 <jaosorior> #link https://wiki.opnfv.org/moon 14:23:42 <B_Smith> thanks 14:24:51 <jaosorior> any other info/questions? 14:26:08 <mwinandy> that's it from my side so far 14:26:26 <jaosorior> Alright, thanks for the info 14:26:36 <jaosorior> next topic 14:26:40 <jaosorior> #topic inspector 14:26:48 <B_Smith> There was an ETSI sec LI doc contribution out this morning...guess cannot share that though. 14:27:10 <B_Smith> sorry, missed change in subject 14:27:29 <jaosorior> B_Smith: we can touch that after this topic, it's the last one we had agreed on 14:27:57 <jaosorior> #info The inspector project had a community review last Thursday, so it seemed that people agreed on the proposal 14:28:44 <jaosorior> Luke had actually mentioned he would try to bring some ETSI people, as it would be very beneficial to sync requirements for inspector 14:28:50 <jaosorior> for anyone interested: 14:29:02 <jaosorior> #link https://wiki.opnfv.org/requirements_projects/inspector 14:29:42 <jaosorior> hopefully next meeting we can sync with the Moon project, since probably some of the stuff that inspector will touch upon (at least on the OpenStack side) would be beneficial for Moon to use 14:30:36 <mwinandy> and vice versa: if Moon changes policy settings, that should probably audited/logged as well 14:30:51 <jaosorior> from the people here, besides aripie, who is intending to contribute to inspector? 14:31:11 <mwinandy> I'm trying to get a colleague to contribute 14:31:48 <jaosorior> mwinandy: that is correct, but we need to sit down with the Moon people, cause there are some considerations in regards to the auditting solution in OpenStack, and things that need to be done as a pre-requisite 14:32:23 <jaosorior> so I want to figure out how the project will be set-up, and if it needs similar settings as the OpenStack modules do 14:32:49 <jaosorior> or how do Moon intends to be "auditted" 14:33:06 <aripie> would moon also decide on audit policy? 14:33:09 <jaosorior> Since at the moment, most of the OpenStack operations auditting is directed towards the ceilometer event database 14:33:13 <mwinandy> I think that point is missing in Moon, and I wanted to suggest to sync there, too 14:33:52 <jaosorior> well, something we need to do is invite people to openly discuss inspector 14:34:08 <jaosorior> we already agreed that we're gonna invite the moon contributors to the next meeting 14:34:14 <jaosorior> so hopefully next week we can sync 14:34:19 <mwinandy> so far moon considers authorization of objects, APIs etc. from that, looking at audit policy as an "object" you want to change, I think it should be part of it some how 14:34:33 <jaosorior> #action invite the mailing list to discuss the inspector project 14:35:23 <jaosorior> mwinandy: if it aims to be working with openstack, it would be beneficial for Moon to adopt some OpenStack ways of working. But it depends on the architecture that's planned and to many other things 14:35:39 <jaosorior> Hopefully we can sync very soon and get these things clearer 14:35:53 <jaosorior> because probably we don't have all the info 14:36:11 <jaosorior> but also maybe they could benefit on re-using some of the things that are already in OpenStack 14:36:40 <jaosorior> Anyway, regarding Inspector 14:37:22 <jaosorior> We probably need a repo for some documents that will be generated, and there we would also document any relevant blueprints that come out of the project 14:37:53 <jaosorior> my idea was to mostly work with git/gerrit, since it gives you the capability of commenting inline in the text 14:37:58 <jaosorior> does that suit people? 14:38:56 <mwinandy> as these are the typical tools, no objection from my side 14:39:05 <jaosorior> aripie? 14:39:39 <aripie> ok 14:39:47 <jaosorior> ok 14:39:56 <jaosorior> #action request the Linux Foundation for a repo for Inspector 14:40:20 <jaosorior> Would people find it beneficial that I write an overview of how audit works in OpenStack at the moment as documentation in the repo? 14:40:34 <aripie> yes 14:40:39 <mwinandy> yes 14:40:41 <jaosorior> I was planning to do that anyway, it's just a matter of where to put that: in the repo or in a separate blog post or something 14:41:03 <aripie> better keep in the repo, refer to that from elsewhere 14:41:14 <jaosorior> ok 14:41:35 <jaosorior> #action jaosorior to write an overview of audit in OpenStack in the Inspector repo 14:41:56 <jaosorior> #action set up a proper sphinx project structure in the repo 14:42:19 <jaosorior> I guess we have to wait for Luke for the ETSI related stuff (regarding being in sync with their requirements too) 14:43:00 <aripie> B_Smith: you and Ashutosh are in ETSI NFV, coould you get other relevant people join? 14:44:28 <jaosorior> and the first thing that we need to come up with, is how actually test audit in an end-to-end fashion. So we need to come up with a proposal for either Tempest, or another solution such as Yardstick if Tempest is not sufficient (I'm still evaluating that) 14:46:13 <jaosorior> Since at the moment there is no actual way to actually verify (in an actual test-case) that an audit event was properly logged 14:46:24 <jaosorior> and that the taxonomies that already exist are sufficient 14:46:44 <jaosorior> I will bring this up again next week anyway 14:46:47 <aripie> and the integrity of the audit config 14:47:06 <jaosorior> true 14:47:24 <mwinandy> +1 for integrity :) 14:47:50 <jaosorior> hahaha everybody is interested in integrity, hopefully we can bring it up soon. We also need to figure out the scope of integrity 14:48:09 <mwinandy> Do 14:48:20 <jaosorior> since, besides config integrity, we would be touching event-record integrity if it's actually needed in some requirements 14:48:29 <aripie> it is 14:48:36 <jaosorior> ok 14:48:43 <jaosorior> I would still like to sync with ETSI first 14:48:56 <jaosorior> just to know we're on the same page, or to know if we are missing something 14:49:14 <jaosorior> since, once we get audit tests set up (which hopefully could become a test gate in openstack) 14:49:29 <jaosorior> we will need to verify the content of the event records according to some standard 14:49:52 <jaosorior> (or several) 14:50:25 <aripie> #link http://www.etsi.org/technologies-clusters/technologies/nfv 14:50:26 <jaosorior> I will be coming up with results soon. I got side-tracked since I found a little bug in ceilometer and started fixing it 14:50:44 <jaosorior> I have nothing more for Inspector 14:50:47 <jaosorior> do you aripie? 14:50:49 <mwinandy> hmm. security bug? :) 14:50:52 <aripie> the NFV-SEC docs are pretty good, but lack specifics of audit criteria 14:51:12 <jaosorior> mwinandy: nah, some bug regarding displaying events, since it's the stuff I was looking at 14:51:59 <aripie> nothing much more to say today on Inspector, let's hope a wider audience next time attending 14:52:05 <jaosorior> anyway, I guess that's all for inspector 14:52:11 <jaosorior> #topic any other business 14:52:17 <jaosorior> B_Smith: you got anything? 14:54:48 <jaosorior> Alright 14:54:56 <jaosorior> I guess that's that 14:55:53 <aripie> thanks then for today 14:56:03 <jaosorior> #endmeeting