Re: [openstack-dev] [kolla][tc] [security] threat analysis, tags, and the road ahead

On 12/04/2016 18:37, "Jeremy Stanley" wrote: >On 2016-04-01 15:50:57 + (+), Hayes, Graham wrote: >> If a team has already done a TA (e.g. as part of an internal >> product TA) (and produced all the documentation) would this meet >> the requirements? >> >> I ask, as

Re: [openstack-dev] [Openstack-security] [Security]abandoned OSSNs?

Thanks Matt, Michael, To start with, lets look quickly at the more recent OSSNs that are marked as work in progress, namely 63,64,65 and 66 – these should all be published within a week or so. Looking further back we have the more difficult OSSNs 50 and 51, I’m not 100% sure what the blockers

[openstack-dev] [Security][Keystone] OSSN-0064 Draft. Request for review

Hi Guys, OSSN-0064 is in review and requires some Keystone love. https://review.openstack.org/#/c/300091/ In relation to: https://bugs.launchpad.net/ossn/+bug/1545789 Cheers -Rob __ OpenStack Development Mailing List (not

[openstack-dev] [Security] Standing agenda for security IRC meetings

Hi all, As per yesterday’s meeting[1], it seems more sensible to create a standing agenda rather than using a new ether pad for each meeting. The standing agenda is available here: https://etherpad.openstack.org/p/security-agenda Please bookmark this and add topics you’d like to discuss

[openstack-dev] [Security][Barbican] BYOK

Hi All, We’ve had lots of discussion about BYOK and most of it has lead to “lets discuss it at the summit”. I’ve got some time for this in the security schedule, I’m checking – is there some other place where this is already tabled to be discussed? -Rob

Re: [openstack-dev] [kolla][tc] [security] threat analysis, tags, and the road ahead

Thanks Steve, Mike, We’ve had a lot more traction with this latest incarnation of TA. I’m very much looking forward to working through the process with the wider community. -Rob On 31/03/2016 20:44, "Steven Dake (stdake)" wrote: >Including tc and kolla > >Michael, >

[openstack-dev] [Security] Newton Design Summit Etherpad

Hi Guys, Please take a few minutes to add ideas to https://etherpad.openstack.org/p/security-newton-summit-brainstorm These don’t have to be things you want to lead, just things you think would be valuable -Rob __

Re: [openstack-dev] [magnum] High Availability

At the risk of muddying the waters further, I recently chatted with some of you about Anchor, it's an ephemeral PKI system setup to provide private community PKI - certificate services for internal systems, a lot like k8 pods. An overview of why revocation doesn't work very well in many cases

Re: [openstack-dev] [magnum] High Availability

I thought that a big part of the use case with Magnum + Barbican was Certificate management for Bays? -Rob From: "Dave McCowan (dmccowan)" Reply-To: OpenStack List Date: Saturday, 19 March 2016 14:56 To: OpenStack List Subject: Re: [openstack-dev] [magnum] High Availability The most basic

[openstack-dev] [Security] PTL Candidacy

I'm announcing my candidacy for PTL of the Security project during the Newton release cycle. As one of the founders of the Security project I believe I have a strong base from which to continue developing and enhancing security within OpenStack. The security project has taken great strides

[openstack-dev] [Security] IRC Meeting Agenda

https://etherpad.openstack.org/p/security-20160225-agenda Cheers -Rob __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

Re: [openstack-dev] [all] A proposal to separate the design summit

+1 For security too, this exactly mirrors our experience. From: Duncan Thomas [mailto:duncan.tho...@gmail.com] Sent: 24 February 2016 12:55 To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] [all] A proposal to separate the design summit On 22

Re: [openstack-dev] [magnum] Nesting /containers resource under /bays

+1 Doing this, and doing this well, provides critical functionality to OpenStack while keeping said functionality reasonably decoupled from the COE API vagaries that would inevitably encumber a solution that sought to provide ‘one api to control them all’. -Rob From: Mike Metral Reply-To:

Re: [openstack-dev] [openstack-ansible][security] Should the playbook stop on certain tasks?

I’m pretty new to openstack-ansible-security but based on my use cases which are as much About using this for verification as they are for building secure boxes my preference would be 3) Use an Ansible callback plugin to catch these and print them at the end of the playbook run -Rob On

[openstack-dev] [Security] Cancelling the weekly IRC meeting for thanks giving

Hi all, As the vast majority of the Security Project members are US based we are cancelling the IRC meeting tomorrow. I’ll send out an ether pad agenda early next week and we can catch up then! Kind Regards -Rob __

Re: [openstack-dev] [openstack-ansible][security] Creating a CA for openstack-ansible deployments?

> -Original Message- > From: Adam Young [mailto:ayo...@redhat.com] > Sent: 02 November 2015 20:54 > To: openstack-dev@lists.openstack.org > Subject: Re: [openstack-dev] [openstack-ansible][security] Creating a CA for > openstack-ansible deployments? > > On 10/26/2015 02:38 PM, Major

Re: [openstack-dev] [openstack-ansible][security] Creating a CA for openstack-ansible deployments?

On 29/10/2015 21:43, "Major Hayden" wrote: >On 10/29/2015 04:33 AM, McPeak, Travis wrote: >> The only potential security drawback is that we are introducing a new >> asset to protect. If we create the tools that enable a deployer to >> easily create and administer a

[openstack-dev] [Security] Meetup / Lunch

We have two fishbowls sessions on Thursday with lunch in the middle. I know there are security talks going on around the same times, this was unavoidable. Perhaps we could all meet up for lunch on thursday, maybe by the prince hotel pool? (Off the marketplace) Looking forward to meeting up

Re: [openstack-dev] [security] The first version of the Logo for Openstack Security Project

I had looped some people into a previous version of the thread but they've not replied yet. I think we ran into this problem before and got a firm "maybe, depending on what it is" from the powers-that-be. Perhaps we should look at a rough-draft alternative logo while we await a verdict? >

Re: [openstack-dev] [security] The first version of the Logo for Openstack Security Project

r the update. We will probably not use any Openstack Logo. > > Here is the first draft of the flyer: > > http://5a6aa6580e900b8e8020-e5e45c5cb10329ebc9fb69948bb1b1a5.r65.cf1.rackcdn.com/ossp-flag-flyer.pdf > > > Please send us your feedback. > > > Yours, > Michae

Re: [openstack-dev] [Security] Introducing Killick PKI

> -Original Message- > From: Adam Young [mailto:ayo...@redhat.com] > Sent: 12 October 2015 02:24 > To: openstack-dev@lists.openstack.org > Subject: Re: [openstack-dev] [Security] Introducing Killick PKI > > On 10/11/2015 06:50 PM, Robert Collins wrote: > > On 9 October 2015 at 06:47, Adam

Re: [openstack-dev] [openstack-ansible] Reviews needed: openstack-ansible-security

It might be worth re-posting this with a [Security] tag. I know a number of us from the Security project have been quietly keeping tabs on this, it seems like great work. We didn't want to wade in because clearly things were already moving with some good momentum and there's no need for us to

[openstack-dev] [Barbican][Security] Automatic Certificate Management Environment

Hi All, So I did a bit of tyre kicking with Letsencrypt today, one of the things I thought was interesting was the adherence to the burgeoning Automatic Certificate Management Environment (ACME) standard. https://letsencrypt.github.io/acme-spec/ It’s one of the more readable crypto related

[openstack-dev] [Security] Weekly Meeting Agenda

Hi All, I won't be available to run the weekly meeting tomorrow as I'm out travelling, Michael McCune (elmiko) has volunteered to lead the meeting. There's IRC information on our wiki page : https://wiki.openstack.org/wiki/Security Agenda items (Please reply to add any more): *PTL

[openstack-dev] [Neutron] Separate floating IP pools?

Is it possible to have separate floating-IP pools and grant a tenant access to only some of them? Thought popped into my head while looking at the rbac-network spec here: https://review.openstack.org/#/c/132661/4/specs/liberty/rbac-networks.rst Creating individual pools, allowing only some

Re: [openstack-dev] [all][elections] PTL nomination period is now over

Likewise, I'm not sure I missed the candidacy window, I think our late mid-cycle threw things out of whack slightly. When I saw the Magnum nomination I made a mental note to apply today. This is a poor-show on my part and I apologise to the TC, the community and the Security team for this

[openstack-dev] [Security] Leadership / Participation in PTL elections.

Security Folks, Some how I missed the window to nominate myself as a PTL candidate for Security. I have literally no idea how I missed it. I’ve been working on Security project things all week (Anchor and OSSNs mainly) so it’s not like I wasn’t thinking about the Security team! Anyway, I missed

Re: [openstack-dev] [openstack-ansible] Security hardening

Very interesting discussion. The Security project has a published security guide that I believe this would be very appropriate content for, the current guide (for reference) is here: http://docs.openstack.org/sec/ Contributions welcome, just like any other part of the OpenStack docs :) -Rob On

[openstack-dev] [Security] Weekly meeting cancelled due to Mid-Cycle

Security folks, Tomorrow’s mid-cycle is cancelled due to many of us attending the Mid-cycle. -Rob __ OpenStack Development Mailing List (not for usage questions) Unsubscribe:

Re: [openstack-dev] [magnum] Difference between certs stored in keystone and certs stored in barbican

he summit yet? I think we should all get >together and talk about it. > >Thanks, >Kevin >________ >From: Clark, Robert Graham [robert.cl...@hp.com] >Sent: Tuesday, September 01, 2015 1:35 PM >To: OpenStack Development Mailing List (not for usage

Re: [openstack-dev] [magnum] Difference between certs stored in keystone and certs stored in barbican

ficate lifecycle) please see my comments below :) >-BEGIN PGP SIGNED MESSAGE- >Hash: SHA512 > >Added a few comments inline. > >- - Douglas Mendizábal > >On 9/1/15 12:03 PM, John Dennis wrote: >> On 09/01/2015 10:57 AM, Clark, Robert Graham wrote: >>>

Re: [openstack-dev] [magnum] Difference between certs stored in keystone and certs stored in barbican

.@redhat.com] >Sent: Tuesday, September 01, 2015 10:03 AM >To: OpenStack Development Mailing List (not for usage questions) >Subject: Re: [openstack-dev] [magnum] Difference between certs stored in >keystone and certs stored in barbican > >On 09/01/2015 10:57 AM, Clark, Robert Graha

Re: [openstack-dev] [magnum] Difference between certs stored in keystone and certs stored in barbican

>The reason that is compelling is that you can have Barbican generate, >sign, and store a keypair without transmitting the private key over the >network to the client that originates the signing request. It can be >directly stored, and made available only to the clients that need access >to it.

Re: [openstack-dev] Would people see a value in the cve-check-tool?

Hi Elena, This is interesting work, thanks for posting it (and for posting it here on openstack-dev, we are trying to wind down the security ML) though maybe use the [Security] tag in the subject line next time. I think this is a very interesting project, though it’s unclear to me who might

Re: [openstack-dev] [Security] Midcycle Announcement

-Original Message- From: Thierry Carrez [mailto:thie...@openstack.org] Sent: 06 July 2015 09:12 To: openstack-dev@lists.openstack.org Subject: Re: [openstack-dev] [Security] Midcycle Announcement Clark, Robert Graham wrote: The Security Project will be holding it's mid-cycle

[openstack-dev] [Security] Midcycle Announcement

Hi All, The Security Project will be holding it's mid-cycle meet-up in Seattle 1st to 4th. Topic for the mid-cycle include: *A sprint on v2 of the Security Guide *Bootstrapping OpenStack Crypto Tracking and Verification Work *Security Face - building the appropriate

[openstack-dev] [Security][VMT] Promoting Michael McCune and Travis McPeak to Security CoreSec

With various +1's and no objections I'm pleased to announce that Michael and Travis are now added to the ossg-coresec team. This team assists the VMT with vulnerability metrics, triage and of course OpenStack Security Notes. Congratulations both! -Rob

Re: [openstack-dev] [Security] the need about implementing a MAC security hook framework for OpenStack

Hi Yang, This is an interesting idea. Most operators running production OpenStack deployments will be using OS-level Mandatory Access Controls already (likely AppArmour or SELinux). I can see where there might be some application on a per-service basis, introducing more security for Swift,

Re: [openstack-dev] [Magnum] TLS Support in Magnum

I think this is an interesting if somewhat difficult to follow thread. It’s worth keeping in mind that there are more ways to handle certificates in OpenStack than just Barbican, though there are often good reasons to use it. Is there a blueprint or scheduled IRC meeting to discuss the options?

[openstack-dev] [Security] Nominating Travis McPeak for Security CoreSec

I'd like to nominate Travis for a CoreSec position as part of the Security project. - CoreSec team members support the VMT with extended consultation on externally reported vulnerabilities. Travis has been an active member of the Security project for a couple of years he's a part of the bandit

[openstack-dev] [Security][VMT] OSSG CoreSec Positions

All, OSSG CoreSec is a private group on Launchpad, it consists of established Security Project team members who are on hand to be called in by the VMT to consult on vulnerabilities and discuss possible mitigations. We require two new members, as with other project ‘cores’ I suggest a

Re: [openstack-dev] [Security] [Bandit] Using multiprocessing/threading to speed up analysis

Interesting work, I guess my initial thought would be - does it need to be faster? Will this work make maintenance and the addition of features more difficult? -Rob On 08/06/2015 08:26, Ian Cordasco ian.corda...@rackspace.com wrote: Hey everyone, I drew up a blueprint

Re: [openstack-dev] [security] Nominating Mike McCune as Security-Doc Core

+1 from me On 22 May 2015, at 13:55, Nathan Kinder nkin...@redhat.com wrote: On 05/19/2015 05:20 PM, Dillon, Nathaniel wrote: To the Security and Docs groups as well as other interested parties, I would like to nominate Mike McCune to the Security Guide core. He has been contributing

[openstack-dev] [Security][Glance] Design session for image signing/encryption

All, Is there a session to discuss the image security proposal? https://review.openstack.org/#/c/177948/2/specs/liberty/encrypted-and-authenticated-image-support.rst Cheers -Rob __ OpenStack Development Mailing List (not

Re: [openstack-dev] [security] / IDS + openstack meeting in Vancouver 4:10 Wednesday May 20

Sounds good, I¹m not sure if I¹ll be able to make it, or in fact if TaaS is the way forward, there¹s a few different options in this space and personally I like bump in the wire OVS - something to discuss :) I¹ll try to make it but I expect this is will be a long running discussion. Kind Regard

Re: [openstack-dev] [security] Consensus on security guidance license

Agree Sent from my iPhone On 15 May 2015, at 10:17, Rob Fletcher rfletch@gmail.commailto:rfletch@gmail.com wrote: sgtm On Fri, May 15, 2015 at 10:04 AM, Paul McMillan p...@mcmillan.wsmailto:p...@mcmillan.ws wrote: Works for me. -Paul On May 15, 2015 10:03 AM, Murphy, Grant

[openstack-dev] [Security] Reminder - No IRC meeting this week

Just a quick reminder, the security project IRC meeting is cancelled this week so we can be ready for the summit. -Rob __ OpenStack Development Mailing List (not for usage questions) Unsubscribe:

Re: [openstack-dev] [Security] CORS Documentation

Hi Michael, Nathaniel might have some insight here, adding him directly. Cheers -Rob From: Michael Krotscheck [mailto:krotsch...@gmail.com] Sent: 05 May 2015 16:33 To: OpenStack Development Mailing List (not for usage questions) Subject: [openstack-dev] [Security] CORS Documentation

[openstack-dev] [Security] Design Summit Sessions

Hi Security, We have two fishbowl events and one boardroom, I’ve assigned them to activities: [Fishbowl] 20 May, 1350, Vulnerability Management [Boardroom] 21 May, 0950, Security: Work Session [Rebranding] [Fishbowl] 21 May, 1700, Security Tooling Please take a look at the link below and let me

[openstack-dev] [Security] Meeting agenda

Reminder to all, our meeting is today at 1700 UTC on Freenode #openstack-meeting-alt The agenda can be found here: https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity#Agenda_for_next_meeting * Roll Call * Reminder that the agenda exists * Update on project status *

[openstack-dev] Announcement - The Security Team for OpenStack

The OpenStack Security Group (OSSG) and the OpenStack Vulnerability Management Team (VMT) have historically operated as independent teams, each with a focus on different aspects of OpenStack security. To present a more coherent security posture we are pleased to announce that the OSSG and VMT will

[openstack-dev] [tc] Request to adopt security as a project team

Technical Committee, Please consider this request to recognize the security team as an OpenStack project team. This is a milestone for the OpenStack Security Group and follows from our merging with the VMT. Over the last few years what started as a small working group has become a team of

[openstack-dev] [Security] Agenda for next meeting

Security folks, The agenda for the next security group meeting is up on https://wiki.openstack.org/wiki/Meetings/OpenStackSecurity#OpenStack_Security_Group_Meetings As a reminder, this is 1700 UTC on irc.freenode.net #openstack-meeting-alt Cheers -Rob

Re: [openstack-dev] [OSSG] Announcement: I'll be transitioning away from OpenStack

This is a big loss to the community, it’s been a real pleasure working with you over the last three years and I wish you all the best in the future! -Rob From: Bryan D. Payne [mailto:bdpa...@acm.org] Sent: 16 March 2015 21:53 To: OpenStack Development Mailing List Subject:

Re: [openstack-dev] nominating Nathaniel Dillon for security-doc core

On 05/03/2015 21:37, Nathan Kinder nkin...@redhat.com wrote: On 03/05/2015 01:14 PM, Bryan D. Payne wrote: To security-doc core and other interested parties, Nathaniel Dillon has been working consistently on the security guide since our first mid-cycle meet up last summer. In that time he

Re: [openstack-dev] Lack of quota - security bug or not?

On 11/12/2014 13:16, Thierry Carrez thie...@openstack.org wrote: George Shuklin wrote: On 12/10/2014 10:34 PM, Jay Pipes wrote: On 12/10/2014 02:43 PM, George Shuklin wrote: I have some small discussion in launchpad: is lack of a quota for unprivileged user counted as security bug (or at

Re: [openstack-dev] [Openstack-security] [Barbican][OSSG] Mid Cycle Attendance / Crossover.

for the last mid-cycle to be helpful, so it might be worthwhile doing again. -Doug M. Douglas Mendizábal IRC: redrobot PGP Key: 245C 7B6F 70E9 D8F3 F5D5 0CC9 AD14 1F30 2D58 923C On 11/7/14, 8:02 PM, Clark, Robert Graham robert.cl...@hp.commailto:robert.cl...@hp.com

[openstack-dev] [Barbican][OSSG] Mid Cycle Attendance / Crossover.

Hi All, How many people would want to attend both the OSSG mid-cycle and the Barbican one? Both expected to be on the west coast of the US. We are trying to work out how/if we should organise these events to take place at adjacent times and if they should be in the same location, back to back

[openstack-dev] [Barbican] Is there an agreed way for plugins to log output

As above, couldn’t see any conventions. Thanks -Rob ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [barbican] Etherpad discussion related to ssl certificate workflow CR

We’ve been looking into CA’s that give you an instant response on a certificate signing request (based on various conditions) - I’m not sure that we can easily make this work with the state structures described? Our basic flow is Client —[https|somecreds|some https://somecreds|somecsr]-- CA

Re: [openstack-dev] [Barbican] Barebones CA

: [openstack-dev] [Barbican] Barebones CA On 06/25/2014 02:42 PM, Clark, Robert Graham wrote: Ok, I’ll hack together a dev plugin over the next week or so, other work notwithstanding. Where possible I’ll probably borrow from the dog tag plugin as I’ve not looked closely at the plugin

Re: [openstack-dev] [Barbican] Barebones CA

On 26/06/2014 03:43, Nathan Kinder nkin...@redhat.com wrote: On 06/25/2014 02:42 PM, Clark, Robert Graham wrote: Ok, I’ll hack together a dev plugin over the next week or so, other work notwithstanding. Where possible I’ll probably borrow from the dog tag plugin as I’ve not looked closely

Re: [openstack-dev] [Neutron]One security issue about floating ip

It¹s kinda ugly, if a user through API/Horizon thinks they¹ve isolated a host, it should be isolatedŠ I smell an OSSN here... On 26/06/2014 17:57, Miguel Angel Ajo Pelayo mangel...@redhat.com wrote: Yes, once a connection has past the nat tables, and it's on the kernel connection tracker, it

Re: [openstack-dev] [Barbican] Barebones CA

of doing something like that. That's still a bit hard to deploy, so it would make sense to extend the 'dev' plugin to include those features. Jarret On 6/24/14, 4:04 PM, Clark, Robert Graham robert.cl...@hp.com wrote: Yeah pretty much. That¹s something I¹d be interested to work

[openstack-dev] [Barbican] Barebones CA

Hi all, I’m sure this has been discussed somewhere and I’ve just missed it. Is there any value in creating a basic ‘CA’ and plugin to satisfy tests/integration in Barbican? I’m thinking something that probably performs OpenSSL certificate operations itself, ugly but perhaps useful for some

Re: [openstack-dev] [Barbican] Barebones CA

' to enable certificate generation orders to be evaluated and demo-ed on local boxes. Is this what you were thinking though? Thanks, John From: Clark, Robert Graham [robert.cl...@hp.com] Sent: Tuesday, June 24, 2014 10:36 AM To: OpenStack List Subject

Re: [openstack-dev] Periodic Security Checks

I think this is very interesting and would love to see the code for it. The blueprint mentions performing checks beyond what Open Attestation provides, add dynamic check to verify memory - this is probably a stretch goal as process memory verification is extremely complex. I'm not aware of anyone

Re: [openstack-dev] Mid-Cycle Meetup

that needs to be in by J2 is in. That means the API changes. I'll be there. On 05/23/2014 03:09 AM, Clark, Robert Graham wrote: I’d like to attend all the Barbican stuff and I’m sure there’ll be some interesting Keystone things too. I think it’s likely we’d do more

Re: [openstack-dev] Message level security plans. [barbican]

-Original Message- From: Jamie Lennox [mailto:jamielen...@redhat.com] Sent: 13 June 2014 03:25 To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] Message level security plans. [barbican] On Thu, 2014-06-12 at 23:22 +, Tiwari, Arvind

[openstack-dev] Calling on Security Engineers / Developers / Architects - Time to share your toys

All, TL:DR; Lets work together and openly on security review and threat analysis for OpenStack I've discussed this for a while within the security group but now I'm sharing more widely here on -dev. There are currently scores of security reviews taking place on OpenStack architecture, projects

Re: [openstack-dev] [Neutron][LBaaS] TLS support RST document on Gerrit

Users have to be able to delete their secrets from Barbican, it's a fundamental key-management requirement. -Original Message- From: Eichberger, German Sent: 11 June 2014 17:43 To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev]

Re: [openstack-dev] [Neutron][LBaaS] Barbican Neutron LBaaS Integration Ideas

It looks like this has come full circle and we are back at the simplest case. # Containers are immutable # Changing a cert means creating a new container and, when ready, pointing LBaaS at the new container This makes a lot of sense to me, it removes a lot of handholding and keeps Barbican and

Re: [openstack-dev] [Barbican] KMIP support

Thanks guys, you¹ve answered everything I needed to know! I¹ll look to see what help I can provide to the KMIP efforts. -Rob On 04/06/2014 15:18, Becker, Bill bill.bec...@safenet-inc.com wrote: Regarding: Also, is the ³OpenStack KMIP Client² ever going to be a thing?

[openstack-dev] [Barbican] KMIP support

All, I’m researching a bunch of HSM applications and I’m struggling to find much info. I was wondering about the progress of KMIP support in Barbican? Is this waiting on an open python KMIP support? Also, is the “OpenStack KMIP Client” ever going to be a thing?

Re: [openstack-dev] [Neutron] SSL VPN Implemenatation

directly from Babican? 2014-05-01 9:42 GMT-07:00 Clark, Robert Graham robert.cl...@hp.com: Excuse me interrupting but couldn't you treat the key as largely ephemeral, pull it down from Barbican, start the OpenVPN process and then purge the key? It would of course still be resident

Re: [openstack-dev] [Neutron][LBaaS]TLS API support for authentication

Several OSSG members have expressed an interest in reviewing this functionality too. -Rob On 28/05/2014 11:35, Samuel Bercovici samu...@radware.com wrote: This very good news. Please point to the code review in gerrit. -Sam. -Original Message- From: Eichberger, German

Re: [openstack-dev] [Openstack-security] [Barbican][OSSG][Keystone] Mid-Cycle Meetup

I’d like to attend all the Barbican stuff and I’m sure there’ll be some interesting Keystone things too. I think it’s likely we’d do more parallel ‘OSSG’ stuff on the Keystone days though I’m free on these dates. From: Bryan Payne bdpa...@acm.orgmailto:bdpa...@acm.org Date: Friday, 23 May

Re: [Openstack] [openstack-dev] [Barbican][OSSG][Keystone] Mid-Cycle Meetup

Yeah, I think they¹re rough for a few people, certainly doesn¹t make life easier for those travelling big distances. On 22/05/2014 21:19, Nathan Reller rellerrel...@yahoo.com wrote: I am interested but the dates are a little rough because it is July 4th weekend. Any chance of pushing it back a

[openstack-dev] [Cinder][OSSG] Security note OSSN-0014 needs Cinder sign off

Hi Cinder folks, Malini from the security group has drafted an OpenStack Security Note for an issue regarding cinder driver permissions that was previously reported to the VMT. Our process for publishing OSSNs requires sign off from two OSSN core and one core of the affected project(s) - we’d

Re: [openstack-dev] A proposal for code reduction

From: Abhijeet Jain [mailto:abhijeet.j...@nectechnologies.in] Sent: 21 May 2014 12:27 To: openstack-dev@lists.openstack.org Subject: [openstack-dev] A proposal for code reduction Hi Openstack-developers, I am Abhijeet Jain. One of the contributor in OpenStack. I was just working on

[openstack-dev] [Barbican] Meeting time moving?

Hi All, At the summit I heard that the Barbican meeting time might be moving, has anything been agreed? Cheers -Rob smime.p7s Description: S/MIME cryptographic signature ___ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org

Re: [openstack-dev] [Barbican] Today's Meeting Cancelled

Seems to be the way most people are going, I noticed Ironic announcing the same today. On 19/05/2014 19:46, Jarret Raim jarret.r...@rackspace.com wrote: Barbicaneers, Many of us are just getting back into the swing of things so we are going to go ahead and cancel the meeting today. The main

Re: [Openstack] Using Nova client with SSH SOCKS proxy

Is localhost listed in your /etc/hosts ? Maybe try with HTTP_PROXY=http://127.0.0.1:13392 - just in case. On 16/05/2014 11:41, Adrian Smith adr...@17od.com wrote: To access my controller I need to go through a intermediary box. I've created a local SOCKS proxy by ssh'ing to this intermediary

Re: [openstack-dev] [Neutron] [LBaaS][VPN][Barbican] SSL cert implementation for LBaaS and VPN

The certificate management that LBaaS requires might be slightly different to the normal flow of things in OpenStack services, after all you are talking about externally provided certificates and private keys. There's already a standard for a nice way to bundle those two elements together,

Re: [openstack-dev] [Neutron] [LBaaS][VPN][Barbican] SSL cert implementation for LBaaS and VPN

a Neutron requirement (LBaaS, VPNaaS, FWaaS) and maybe as a transition project to an OpenStack wide solution (1 or 2). Option 1 or 2 might be the ultimate goal. Regards, -Sam. From: Clark, Robert Graham [mailto:robert.cl...@hp.com] Sent: Thursday, May 08, 2014

Re: [openstack-dev] Security audit of OpenStack projects

-Original Message- From: John Dennis [mailto:jden...@redhat.com] Sent: 02 May 2014 14:23 To: OpenStack Development Mailing List (not for usage questions) Subject: Re: [openstack-dev] Security audit of OpenStack projects On 04/07/2014 12:06 PM, Nathan Kinder wrote: Hi, We

Re: [openstack-dev] [Neutron] SSL VPN Implemenatation

Excuse me interrupting but couldn't you treat the key as largely ephemeral, pull it down from Barbican, start the OpenVPN process and then purge the key? It would of course still be resident in the memory of the OpenVPN process but should otherwise be protected against filesystem disk-residency

Re: [Openstack] [Openstack-security] API Security

This is why any production API servers should all be running TLS/SSL – to protect the confidentiality of messages in flight. There have been efforts to remove sensitive information from logs, I’m a little surprised that passwords are logged in Neutron. From: Hao Wang

Re: [Openstack] [Openstack-security] API Security

. -Original Message- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: 29 April 2014 15:39 To: Hao Wang; Clark, Robert Graham Cc: openstack-secur...@lists.openstack.org; openstack; Aaron Knister Subject: Re: [Openstack-security] [Openstack] API Security Hao Wang wrote: Thanks

Re: [Openstack] [Openstack-security] API Security

Crittenden’s comments – check out Nathan Kinders blog entry on the topic https://blog-nkinder.rhcloud.com/?p=7 From: Hao Wang [mailto:hao.1.w...@gmail.com] Sent: 29 April 2014 16:04 To: Rob Crittenden Cc: Clark, Robert Graham; openstack-secur...@lists.openstack.org; openstack; Aaron Knister

[Openstack] [Barbican] Key Recovery / Availability

Has there been much discussion on how to ensure that keys are recoverable in the event that Barbican has some sort of horrific failure? I suppose a HA frontend, Redundant Keystore Databases and HA paired HSMs would be the most obvious non-code-writing path but this feels pretty clunky, I was

Re: [Openstack] [Barbican] Key Recovery / Availability

-Original Message- From: Clint Byrum [mailto:cl...@fewbar.com] Sent: 19 March 2014 18:22 To: openstack Subject: Re: [Openstack] [Barbican] Key Recovery / Availability Excerpts from Clark, Robert Graham's message of 2014-03-19 07:41:35 - 0700: Has there been much discussion on

Re: [Openstack] [Barbican] Key Recovery / Availability

As the services I described were the first things that came into my mind with regards to high availability in Barbican I assumed that there was probably a better strategy. If the strategy is as you've described then that's great - even I can understand that! -Rob Our plan for deployment

Re: [Openstack] [Barbican] HTTPS Connection Question

Very often you’ll deploy them on the same server, so no plaintext goes over the wire. -Rob From: Miller, Mark M (EB SW Cloud - RD - Corvallis) Sent: 05 March 2014 20:31 To: Douglas Mendizabal; Tiwari, Arvind; Ferreira, Rafael; Remo Mattei; Wyllys Ingersoll; openstack@lists.openstack.org

Re: [Openstack] Plaintext password in getCredential token

On Wed Feb 5 08:34:34 2014, Rob Crittenden wrote: Emanuel Marzini wrote: Hi, I have a software that uses Openstack. When it do an action for the first time, it need to get a token from Openstack. How it's possible make a POST request like: '{auth:{passwordCredentials:{username: joeuser,

Re: [Openstack] [swift] Is anyone using cloudfuse successfully?

On Thu Jan 23 07:41:09 2014, Joe Topjian wrote: A group I'm working with recently finished some basic cloudfuse testing and in the end, we weren't 100% comfortable with using it in production. The core reason for this is cloudfuse writing files to /tmp before they get moved to Swift. We played

Re: [openstack-dev] [ironic] Disk Eraser

On 17/01/2014 08:19, Robert Collins wrote: On 16 January 2014 03:31, Alan Kavanagh alan.kavan...@ericsson.com wrote: Hi fellow OpenStackers Does anyone have any recommendations on open source tools for disk erasure/data destruction software. I have so far looked at DBAN and disk scrubber

Re: [openstack-dev] Incubation Request for Barbican

From: Bryan D. Payne [mailto:bdpa...@acm.org] Sent: 12 December 2013 16:12 To: OpenStack Development Mailing List (not for usage questions) Cc: openstack...@lists.openstack.org; cloudkeep@googlegroups. com; barbi...@lists.rackspace.com Subject: Re: [openstack-dev] Incubation Request for Barbican

[Openstack] [OSSG][OSSN] Restarting memcached loses revoked token list

Restarting memcached loses revoked token list - ### Summary ### When a cloud is deployed using Memcache as a backend for Keystone tokens there is a security concern that restarting Memcached will lose the list of revoked tokens, potentially allowing bad tokens / users to access the system

[Openstack] [OSSG][OSSN] HTTP Strict Transport Security not enabled on Horizon Dashboard

HTTP Strict Transport Security not enabled on Horizon Dashboard ### Summary ### Cloud operators using Horizon for production or internet facing operations should strongly consider configuring HSTS for their deployment ### Affected Services / Software ### Horizon, SSL, TLS, Apache, Nginx

  1   2   >