openstackgerrit | Merged openstack/bandit: Misspelling in error message in file screen.py https://review.openstack.org/269866 | 00:13 |
---|---|---|
*** markvoelker has quit IRC | 00:14 | |
*** markvoelker has joined #openstack-security | 00:17 | |
*** diazjf has joined #openstack-security | 00:20 | |
*** diazjf has quit IRC | 00:20 | |
*** austin987 has quit IRC | 00:21 | |
*** ccneill has quit IRC | 00:26 | |
*** austin987 has joined #openstack-security | 00:32 | |
openstackgerrit | Patrick Amor proposed openstack/security-doc: Add section on passwords and password managers for Sec Guide Dashboard chapter https://review.openstack.org/268256 | 00:37 |
openstackgerrit | Stanislaw Pitucha proposed openstack/anchor: New asn1 modules for CMC support https://review.openstack.org/267965 | 00:47 |
*** bpokorny has joined #openstack-security | 00:55 | |
openstackgerrit | Eric Brown proposed openstack/bandit: Support hacking H104 https://review.openstack.org/269940 | 01:03 |
openstackgerrit | Eric Brown proposed openstack/bandit: Support hacking H104 https://review.openstack.org/269940 | 01:05 |
*** salv-orlando has quit IRC | 01:12 | |
*** jhfeng has joined #openstack-security | 01:30 | |
*** browne has joined #openstack-security | 01:36 | |
*** jhfeng has quit IRC | 01:50 | |
*** jhfeng has joined #openstack-security | 01:55 | |
*** jhfeng has quit IRC | 01:56 | |
*** bpokorny_ has joined #openstack-security | 01:56 | |
*** jhfeng has joined #openstack-security | 01:58 | |
*** jhfeng has quit IRC | 01:59 | |
*** jhfeng has joined #openstack-security | 01:59 | |
*** bpokorny has quit IRC | 02:00 | |
*** bpokorny_ has quit IRC | 02:01 | |
*** tmcpeak1 has joined #openstack-security | 02:01 | |
*** tmcpeak has quit IRC | 02:01 | |
*** dave-mccowan has joined #openstack-security | 02:23 | |
*** browne has quit IRC | 02:30 | |
*** jhfeng has quit IRC | 02:31 | |
*** edmondsw has quit IRC | 02:37 | |
*** markvoelker has quit IRC | 02:42 | |
*** tmcpeak1 has quit IRC | 02:49 | |
*** browne has joined #openstack-security | 03:06 | |
*** avarner_ has quit IRC | 03:12 | |
*** yuanying_ has joined #openstack-security | 03:18 | |
*** yuanying has quit IRC | 03:19 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/security-doc: Updated from openstack-manuals https://review.openstack.org/269985 | 03:23 |
openstackgerrit | Merged openstack/security-doc: Updated from openstack-manuals https://review.openstack.org/269985 | 03:58 |
*** yuanying_ has quit IRC | 04:05 | |
*** yuanying_ has joined #openstack-security | 04:07 | |
*** dave-mccowan has quit IRC | 04:12 | |
*** markvoelker has joined #openstack-security | 04:14 | |
openstackgerrit | Merged openstack/bandit: Support hacking H104 https://review.openstack.org/269940 | 04:19 |
*** yuanying has joined #openstack-security | 04:20 | |
*** yuanying_ has quit IRC | 04:22 | |
*** bpokorny has joined #openstack-security | 04:31 | |
*** yuanying has quit IRC | 04:37 | |
*** yuanying has joined #openstack-security | 04:39 | |
*** yuanying has quit IRC | 04:40 | |
*** bpokorny has quit IRC | 04:40 | |
*** bpokorny has joined #openstack-security | 04:42 | |
*** yuanying has joined #openstack-security | 04:44 | |
*** bpokorny has quit IRC | 04:44 | |
*** yuanying_ has joined #openstack-security | 04:49 | |
*** yuanying has quit IRC | 04:50 | |
*** bpokorny has joined #openstack-security | 04:57 | |
*** jhfeng has joined #openstack-security | 05:33 | |
*** jhfeng has quit IRC | 05:37 | |
*** bpokorny has quit IRC | 05:43 | |
*** salv-orlando has joined #openstack-security | 05:49 | |
*** _et_ has quit IRC | 06:02 | |
*** jamielennox is now known as jamielennox|away | 06:40 | |
*** liverpooler has quit IRC | 06:45 | |
*** rcernin has joined #openstack-security | 07:02 | |
*** browne has quit IRC | 07:02 | |
*** tjt263 has joined #openstack-security | 07:02 | |
*** _et_ has joined #openstack-security | 07:08 | |
*** markvoelker has quit IRC | 07:11 | |
*** markvoelker has joined #openstack-security | 07:12 | |
*** markvoelker_ has joined #openstack-security | 07:18 | |
*** markvoelker has quit IRC | 07:20 | |
*** markvoel_ has joined #openstack-security | 07:42 | |
*** markvoelker_ has quit IRC | 07:43 | |
*** salv-orlando has quit IRC | 07:49 | |
*** liverpooler has joined #openstack-security | 08:30 | |
*** liverpooler has quit IRC | 08:34 | |
*** liverpooler has joined #openstack-security | 08:35 | |
*** tjt263 has left #openstack-security | 10:05 | |
*** hyakuhei has joined #openstack-security | 10:15 | |
*** hyakuhei has quit IRC | 10:16 | |
openstackgerrit | Merged openstack/anchor: Add more auth details to the audit message https://review.openstack.org/253288 | 10:27 |
openstackgerrit | Merged openstack/anchor: Add documentation for audit https://review.openstack.org/254544 | 10:29 |
*** markd_ has joined #openstack-security | 10:57 | |
*** _et_ has quit IRC | 11:03 | |
*** rcernin has quit IRC | 11:05 | |
*** rcernin has joined #openstack-security | 11:07 | |
*** rcernin is now known as rcernin|lunch | 11:13 | |
*** hyakuhei has joined #openstack-security | 11:21 | |
*** hyakuhei has quit IRC | 11:42 | |
*** openstackgerrit has quit IRC | 11:43 | |
*** openstackgerrit has joined #openstack-security | 11:44 | |
*** harry51s has joined #openstack-security | 11:49 | |
*** _et_ has joined #openstack-security | 12:43 | |
*** rcernin|lunch is now known as rcernin | 13:07 | |
*** dslev has joined #openstack-security | 13:34 | |
*** dslev has quit IRC | 13:43 | |
*** chair6_ has joined #openstack-security | 13:48 | |
*** liverpoo1er has joined #openstack-security | 13:51 | |
*** raginbaj- has joined #openstack-security | 13:55 | |
*** electrichead has joined #openstack-security | 13:55 | |
*** bknudson_ has joined #openstack-security | 13:55 | |
*** gmurphy_ has joined #openstack-security | 13:55 | |
*** electrichead is now known as Guest10164 | 13:55 | |
*** gocrazy has quit IRC | 13:56 | |
*** bknudson has quit IRC | 13:56 | |
*** d0ugal has quit IRC | 13:56 | |
*** raginbajin has quit IRC | 13:56 | |
*** redrobot has quit IRC | 13:56 | |
*** gmurphy has quit IRC | 13:56 | |
*** liverpooler has quit IRC | 13:56 | |
*** chair6 has quit IRC | 13:56 | |
*** raginbaj- is now known as raginbajin | 13:56 | |
*** dave-mccowan has joined #openstack-security | 14:00 | |
*** ninag has joined #openstack-security | 14:01 | |
*** gocrazy has joined #openstack-security | 14:02 | |
*** d0ugal has joined #openstack-security | 14:03 | |
*** timkennedy1 has joined #openstack-security | 14:22 | |
*** timkennedy1 has left #openstack-security | 14:25 | |
*** timkennedy has quit IRC | 14:25 | |
*** jmckind has joined #openstack-security | 14:27 | |
*** harry51s has quit IRC | 14:27 | |
*** edmondsw has joined #openstack-security | 14:33 | |
*** liverpoo1er has quit IRC | 14:36 | |
*** harry51s has joined #openstack-security | 14:38 | |
*** jmckind has quit IRC | 14:40 | |
*** jmckind has joined #openstack-security | 14:47 | |
*** chair6_ is now known as chair6 | 14:51 | |
*** avarner_ has joined #openstack-security | 15:02 | |
*** sigmavirus24_awa is now known as sigmavirus24 | 15:13 | |
*** tmcpeak has joined #openstack-security | 15:14 | |
openstackgerrit | OpenStack Proposal Bot proposed openstack/security-doc: Updated from openstack-manuals https://review.openstack.org/270246 | 15:20 |
*** markvoel_ has quit IRC | 15:25 | |
*** _et_ has quit IRC | 15:33 | |
*** jmckind_ has joined #openstack-security | 15:35 | |
*** jmckind has quit IRC | 15:38 | |
*** ninag has quit IRC | 15:43 | |
*** cjschaef has joined #openstack-security | 15:45 | |
*** markvoelker_ has joined #openstack-security | 15:46 | |
*** avarner_ has quit IRC | 15:48 | |
*** Guest10164 is now known as redrobot | 15:49 | |
*** ninag has joined #openstack-security | 15:51 | |
*** hyakuhei has joined #openstack-security | 15:59 | |
*** timkennedy has joined #openstack-security | 16:01 | |
*** austin987 has quit IRC | 16:17 | |
*** edtubill has joined #openstack-security | 16:18 | |
*** diazjf has joined #openstack-security | 16:22 | |
*** rcernin has quit IRC | 16:25 | |
*** salv-orlando has joined #openstack-security | 16:30 | |
*** austin987 has joined #openstack-security | 16:32 | |
*** bpokorny has joined #openstack-security | 16:37 | |
*** austin987 has quit IRC | 16:37 | |
*** elly has joined #openstack-security | 16:43 | |
elly | What's up | 16:44 |
elmiko | not much | 16:44 |
elly | Why Elmiko | 16:46 |
elmiko | why not? | 16:47 |
elly | Okay :-) | 16:47 |
elly | Do you use OpenStack? | 16:48 |
*** elly has quit IRC | 16:51 | |
openstackgerrit | Merged openstack/security-doc: Updated from openstack-manuals https://review.openstack.org/270246 | 16:53 |
*** bpokorny_ has joined #openstack-security | 16:59 | |
tmcpeak | :# ^ | 16:59 |
*** browne has joined #openstack-security | 17:01 | |
*** bpokorny has quit IRC | 17:02 | |
*** avarner_ has joined #openstack-security | 17:05 | |
*** austin987 has joined #openstack-security | 17:05 | |
*** jhfeng has joined #openstack-security | 17:08 | |
*** jhfeng has quit IRC | 17:20 | |
*** edtubill has quit IRC | 17:27 | |
*** jhfeng has joined #openstack-security | 17:35 | |
*** bpokorny_ has quit IRC | 17:37 | |
*** bpokorny has joined #openstack-security | 17:38 | |
*** _et_ has joined #openstack-security | 17:41 | |
*** austin987 has quit IRC | 17:41 | |
*** austin987 has joined #openstack-security | 17:43 | |
*** avarner_ has quit IRC | 17:55 | |
*** browne has quit IRC | 18:05 | |
*** markd_ has quit IRC | 18:12 | |
*** avarner_ has joined #openstack-security | 18:13 | |
*** harry51s has quit IRC | 18:13 | |
*** diazjf has quit IRC | 18:14 | |
*** kragniz_ has joined #openstack-security | 18:17 | |
elmiko | tmcpeak: i was bummed, that conversation was just starting | 18:21 |
*** diazjf has joined #openstack-security | 18:21 | |
tmcpeak | elmiko yeah, I bet | 18:21 |
*** kragniz has quit IRC | 18:22 | |
*** hyakuhei has quit IRC | 18:23 | |
openstackgerrit | Patrick Amor proposed openstack/security-doc: Discuss passwords and password managers for Dashboard chapter https://review.openstack.org/268256 | 18:45 |
*** browne has joined #openstack-security | 18:53 | |
*** edmondsw has quit IRC | 18:57 | |
*** edmondsw has joined #openstack-security | 18:57 | |
*** cjschaef has quit IRC | 18:57 | |
*** cjschaef has joined #openstack-security | 18:57 | |
*** ninag has quit IRC | 18:57 | |
*** ninag has joined #openstack-security | 18:57 | |
*** avarner_ has quit IRC | 18:58 | |
*** avarner_ has joined #openstack-security | 18:58 | |
*** timkennedy has left #openstack-security | 19:00 | |
*** ninag has quit IRC | 19:00 | |
*** bpokorny_ has joined #openstack-security | 19:01 | |
*** browne has quit IRC | 19:01 | |
*** bpokorny_ has quit IRC | 19:01 | |
*** ninag has joined #openstack-security | 19:02 | |
*** bpokorny_ has joined #openstack-security | 19:02 | |
*** browne has joined #openstack-security | 19:02 | |
*** ninag_ has joined #openstack-security | 19:03 | |
*** cjschaef_ has joined #openstack-security | 19:04 | |
*** bpokorny has quit IRC | 19:05 | |
*** liverpooler has joined #openstack-security | 19:05 | |
*** ninag has quit IRC | 19:07 | |
*** cjschaef has quit IRC | 19:07 | |
*** ninag_ has quit IRC | 19:08 | |
*** ninag has joined #openstack-security | 19:08 | |
openstackgerrit | Merged openstack/security-doc: Discuss passwords and password managers for Dashboard chapter https://review.openstack.org/268256 | 19:12 |
*** jhfeng has quit IRC | 19:18 | |
*** bpokorny_ has quit IRC | 19:34 | |
*** bpokorny has joined #openstack-security | 19:35 | |
*** diazjf has quit IRC | 19:35 | |
*** jhfeng has joined #openstack-security | 19:44 | |
*** diazjf has joined #openstack-security | 19:47 | |
*** jmckind has joined #openstack-security | 19:51 | |
*** jmckind_ has quit IRC | 19:52 | |
*** ccneill has joined #openstack-security | 19:52 | |
*** jmckind_ has joined #openstack-security | 19:53 | |
*** jmckind has quit IRC | 19:57 | |
*** ccneill has quit IRC | 20:06 | |
*** ninag has joined #openstack-security | 20:07 | |
*** ccneill has joined #openstack-security | 20:07 | |
*** salv-orlando has quit IRC | 20:18 | |
*** bpokorny has quit IRC | 20:33 | |
*** diazjf1 has joined #openstack-security | 20:35 | |
*** harry51s has joined #openstack-security | 20:36 | |
*** diazjf has quit IRC | 20:37 | |
*** bpokorny has joined #openstack-security | 20:43 | |
*** ccneill_ has joined #openstack-security | 20:44 | |
*** ccneill has quit IRC | 20:45 | |
*** bknudson_ has quit IRC | 20:46 | |
*** bknudson has joined #openstack-security | 20:47 | |
openstackgerrit | Henry Yamauchi proposed openstack/bandit: Broken link to plugin list in file config.rst https://review.openstack.org/270475 | 20:49 |
*** ninag has quit IRC | 21:06 | |
*** bpokorny has quit IRC | 21:09 | |
*** bpokorny has joined #openstack-security | 21:09 | |
openstackgerrit | Merged openstack/bandit: Broken link to plugin list in file config.rst https://review.openstack.org/270475 | 21:11 |
openstackgerrit | Christopher J Schaefer proposed openstack/bandit: Only decode output of subprocess https://review.openstack.org/270484 | 21:14 |
*** salv-orlando has joined #openstack-security | 21:18 | |
*** salv-orlando has quit IRC | 21:19 | |
*** salv-orlando has joined #openstack-security | 21:19 | |
*** diazjf1 has quit IRC | 21:19 | |
*** diazjf has joined #openstack-security | 21:22 | |
*** ninag has joined #openstack-security | 21:25 | |
*** ccneill_ has quit IRC | 21:25 | |
openstackgerrit | Christopher J Schaefer proposed openstack/bandit: Only decode output of subprocess https://review.openstack.org/270484 | 21:28 |
openstackgerrit | Christopher J Schaefer proposed openstack/bandit: Only decode output of subprocess https://review.openstack.org/270484 | 21:31 |
*** timkennedy1 has joined #openstack-security | 21:34 | |
*** harry51s has left #openstack-security | 21:41 | |
*** timkennedy1 has quit IRC | 22:01 | |
*** kragniz_ is now known as kragniz | 22:12 | |
openstackgerrit | Merged openstack/bandit: Only decode output of subprocess https://review.openstack.org/270484 | 22:14 |
*** edmondsw has quit IRC | 22:21 | |
Ryan_Lane | "Path to a baseline report, in JSON format. Note: baseline reports must be output in one of the following formats: ['screen', 'html', 'txt']" | 22:26 |
*** ccneill_ has joined #openstack-security | 22:26 | |
Ryan_Lane | ^^ re bandit | 22:26 |
Ryan_Lane | in json format. must be in screen, html or txt format? | 22:26 |
Ryan_Lane | so... what does this actually mean? | 22:26 |
tmcpeak | Ryan_Lane: yeah, sorry, that's a little confusing | 22:27 |
tmcpeak | baseline outputs one of those three formats, but the input to the baseline process itself is the JSON output from a previous run | 22:27 |
tmcpeak | so you run against whatever version of your project and output the bandit results in JSON. Then you run Bandit in baseline mode (-b), provide the previous run result's JSON as input, and then it outputs screen, html, or txt | 22:28 |
tmcpeak | you might find the bandit-baseline tool easier to use | 22:28 |
Ryan_Lane | where's the tool? | 22:30 |
tmcpeak | what version are you on? you might need to update | 22:31 |
tmcpeak | it should have been in there as of 17 something | 22:31 |
Ryan_Lane | I can run against master. I don't have a hard requirement | 22:31 |
tmcpeak | Ryan_Lane: https://github.com/openstack/bandit/releases/tag/0.17.0 | 22:31 |
tmcpeak | ok cool | 22:32 |
Ryan_Lane | hm. it can't re-output as json? :( | 22:32 |
tmcpeak | that should work too then | 22:32 |
tmcpeak | Ryan_Lane: not currently, here's why | 22:32 |
tmcpeak | with Bandit Baseline there are some cases where we've found a new issue but we can't tell specifically where in the file it is. So we present candidate issues | 22:32 |
tmcpeak | we haven't written a JSON output for that yet, but it shouldn't be much work to do so | 22:33 |
Ryan_Lane | ok | 22:33 |
Ryan_Lane | I really need to be able to parse the results, so I guess I can't use the baseline | 22:33 |
tmcpeak | Ryan_Lane: is that something you'd like? I can add it to our launchpad blueprints | 22:33 |
*** ccneill_ has quit IRC | 22:33 | |
tmcpeak | Ryan_Lee: hmm, ok, we should be able to get that implemented pretty easily | 22:34 |
Ryan_Lane | hm. I'm not totally sure how thus bandit-baseline tool works | 22:34 |
Ryan_Lane | where's the baseline come from? | 22:34 |
tmcpeak | so the idea is that you are running on a project that had pre-existing issues, but you still want to run a Bandit gate | 22:34 |
Ryan_Lane | right. does it look for the baseline in a specific location? | 22:34 |
tmcpeak | the baseline basically says: "only show me new Bandit issues that were introduced between the last commit and the current commit" | 22:34 |
Ryan_Lane | ah. it runs it twice, against two commits? | 22:35 |
tmcpeak | Ryan_Lane: the bandit baseline tool actually automates checking out the parent commit, running Bandit, generating the JSON, checkout out the current commit, re-running and generating the diff results | 22:35 |
tmcpeak | Ryan_Lane: yep | 22:35 |
Ryan_Lane | ah. cool | 22:35 |
Ryan_Lane | now the tricky question ;) | 22:35 |
Ryan_Lane | what if you're using github? :) | 22:35 |
tmcpeak | normal git commands work on github stuff right? | 22:35 |
Ryan_Lane | yeah, but pull-requests are a set of commits | 22:36 |
tmcpeak | ahhh | 22:36 |
Ryan_Lane | in a branch | 22:36 |
Ryan_Lane | we rebase down into a single commit before merge, but the PR itself doesn't know about this | 22:36 |
tmcpeak | ok, yeah the baseline tool doesn't automate that. So basically you'd execute the command to run Bandit against the current branch, output JSON, do the fetch of the pull request, run again | 22:36 |
tmcpeak | Ryan_Lane: is there a way to clone the pull request merged to the original project? | 22:37 |
Ryan_Lane | when you clone you get the PR/branch info | 22:37 |
tmcpeak | there must be as people would normally want to test before approving the pull, right? | 22:37 |
Ryan_Lane | assuming it's jenkins | 22:37 |
Ryan_Lane | so ideally it would just baseline against master | 22:38 |
tmcpeak | the baseline tool won't do it, but I think you could write a pretty simple shell script that would do what you're talking about | 22:38 |
Ryan_Lane | is this the baseline tool? https://github.com/openstack/bandit/blob/master/bandit/cli/baseline.py | 22:39 |
tmcpeak | the baseline tool itself started off as shell mumbo jumbo before we ported it to python and pygit and all that good stuff | 22:39 |
tmcpeak | yep | 22:39 |
tmcpeak | hang on, let me drag up equivalent shell so you can get an idea | 22:40 |
Ryan_Lane | seems like I should be able to add a --branch flag so that this would let me specify the commit: https://github.com/openstack/bandit/blob/master/bandit/cli/baseline.py#L66 | 22:40 |
Ryan_Lane | so parent would be the commit of the branch | 22:41 |
tmcpeak | Ryan_Lee: http://paste.openstack.org/show/484465/ | 22:43 |
tmcpeak | shell this was based on | 22:43 |
* Ryan_Lane nods | 22:44 | |
tmcpeak | Ryan_Lee: yeah, that would be a cool enhancement | 22:44 |
Ryan_Lane | I'd really like to avoid branch switching and such via the cli | 22:44 |
Ryan_Lane | since I don't want to possible mess with other tests that may run | 22:44 |
Ryan_Lane | possibly* | 22:45 |
Ryan_Lane | can't type today | 22:45 |
Ryan_Lane | I guess gitpython is doing this anyway, since it's just shelling out | 22:45 |
tmcpeak | you should be able to get the same thing by tweaking the shell a little bit and just cloning the "parent" and current into two different locations | 22:45 |
tmcpeak | yeah gitpython is all shelling on the backend | 22:45 |
Ryan_Lane | gitpython makes me sad ;) | 22:46 |
tmcpeak | Ryan_Lee: added: https://blueprints.launchpad.net/bandit/+spec/json-output-for-baseline-tool | 22:46 |
tmcpeak | the nasty shell mumbo-jumbo I had in there before made browne even sadder I think | 22:46 |
Ryan_Lane | tmcpeak: awesome. thanks :) | 22:46 |
Ryan_Lane | tmcpeak: hahaha | 22:46 |
Ryan_Lane | http://www.pygit2.org/ <3 | 22:46 |
*** jamielennox|away is now known as jamielennox | 22:47 | |
tmcpeak | Ryan_Lee: cool, yeah JSON baseline output should be easy to add | 22:47 |
tmcpeak | ooh | 22:47 |
Ryan_Lane | dulwich is also nice, but its docs are just the worst | 22:47 |
tmcpeak | this looks nicer | 22:47 |
Ryan_Lane | yeah. pygit2 is really nice | 22:47 |
browne | haha yes command output parsing usually leads to bugs | 22:48 |
Ryan_Lane | I also need to open a bug for being able to disable individual tests | 22:48 |
Ryan_Lane | like # nosec-b108 | 22:48 |
*** cjschaef_ has quit IRC | 22:49 | |
Ryan_Lane | also, is there any guidance on test numbering for plugins? | 22:49 |
tmcpeak | Ryan_Lee: that's coming very soon, we're actively working on better include and exclude now | 22:49 |
Ryan_Lane | right now all the plugins are included in the main repo, but very soon that won't be true | 22:49 |
Ryan_Lane | (really, really soon ;) ) | 22:49 |
tmcpeak | Ryan_Lane: awesome, got something up your sleeve? | 22:49 |
*** avarner_ has quit IRC | 22:49 | |
Ryan_Lane | I hope to release something in the next week or so | 22:50 |
tmcpeak | awesome | 22:50 |
Ryan_Lane | a plugin that looks for hardcoded secrets, but considers the values of the strings as well | 22:50 |
tmcpeak | interesting, how do you mean? | 22:50 |
Ryan_Lane | so looks into tuples, dicts, lists, assignments, comparisons, function calls function definitions | 22:51 |
tmcpeak | hardcoded secrets is something we've had trouble with. The plugin we have is very noisy so I only enable it for pentesting | 22:51 |
Ryan_Lane | so far mine is noisy for confidence levels below high | 22:51 |
Ryan_Lane | but pretty good on high | 22:51 |
tmcpeak | oh cool | 22:51 |
tmcpeak | can't wait to check it out | 22:51 |
Ryan_Lane | I have ways of bumping confidence one way or the other | 22:51 |
Ryan_Lane | including entropy of strings | 22:51 |
tmcpeak | legit | 22:52 |
tmcpeak | if it's better than the one we've got I'd encourage you to contribute it to main Bandit | 22:52 |
Ryan_Lane | hm. maybe I can do that. | 22:52 |
Ryan_Lane | the only external requirement is zxcvbn | 22:53 |
Ryan_Lane | we may keep it separately so that we can iterate on it outside of bandit releases | 22:53 |
tmcpeak | ahh ok, yeah it's not in g-r so we should bundle it separately | 22:53 |
tmcpeak | cool, fair enough | 22:53 |
Ryan_Lane | g-r? | 22:53 |
tmcpeak | openstack global requirements | 22:54 |
Ryan_Lane | ah | 22:54 |
Ryan_Lane | yeah, we're not really using openstack :) | 22:54 |
tmcpeak | since we're an openstack project we can't include requirements that aren't in the global requirements list | 22:54 |
tmcpeak | ahh ok cool | 22:54 |
Ryan_Lane | some of the openstack-security things are useful so far, though | 22:54 |
tmcpeak | this seems like a perfect use for our (somewhat) newly implemented modular plugin loading | 22:54 |
Ryan_Lane | I'm now also looking at anchor :) | 22:54 |
tmcpeak | awesome! | 22:54 |
tmcpeak | where do you work? | 22:54 |
*** sigmavirus24 is now known as sigmavirus24_awa | 22:54 | |
Ryan_Lane | Lyft | 22:55 |
tmcpeak | ahh cool | 22:55 |
Ryan_Lane | I used to be at Wikimedia foundation. I did use openstack there | 22:55 |
tmcpeak | yeah our hope is that a lot of the tools we write can help with security overall, not just OpenStack | 22:55 |
Ryan_Lane | yeah | 22:56 |
Ryan_Lane | I'll probably add an auth module to anchor if I use it | 22:56 |
tmcpeak | awesome | 22:56 |
Ryan_Lane | we have a weird AWS based auth (http://lyft.github.io/confidant/advanced/service_to_service_auth/) | 22:56 |
tmcpeak | hyakuhei, tkelsey, and dg are in England and hopefully sleeping, but those guys are pretty involved with Anchor if you want to discuss your uses with them | 22:57 |
* Ryan_Lane nods | 22:57 | |
*** jmckind_ has quit IRC | 22:57 | |
Ryan_Lane | I talked with them a bit about a backend I want | 22:57 |
tmcpeak | hmm, yeah this looks like it might be a good extension to Anchor | 22:58 |
Ryan_Lane | I want ephemeral overlapping CAs, not just ephemeral certs | 22:58 |
tmcpeak | ephemeral CA's? | 22:58 |
Ryan_Lane | we're very non-trusting. so the idea is to replace the entire chain frequently | 22:58 |
tmcpeak | heh, interesting | 22:58 |
Ryan_Lane | always have two valid, with overlapping time-frames | 22:58 |
tmcpeak | seems like a lot of effort to rotate the trust on the client | 22:59 |
Ryan_Lane | maybe :) | 22:59 |
tmcpeak | I'd be curious to see what you guys come up with | 23:00 |
Ryan_Lane | yeah. haven't really decided to go down this path yet, but we'll see :) | 23:00 |
Ryan_Lane | does keystone support roles and policy (like AWS's IAM roles and policy) yet? | 23:00 |
tmcpeak | I'm not sure, bknudson is probably the one to answer that | 23:01 |
*** ninag has quit IRC | 23:02 | |
bknudson | Ryan_Lane: what are you trying to do? | 23:02 |
Ryan_Lane | bknudson: wondering because I leverage that and AWS's KMS system pretty heavily based on IAM roles and their policy for things like auth and assymetric encryption | 23:03 |
bknudson | keystone has roles, and openstack services support a policy file... I don't know if this is like AWS's roles and policies. | 23:03 |
Ryan_Lane | basically "let x role encrypt using the key, if the AAD has {'from': 'x'}" | 23:03 |
*** B_Smith has quit IRC | 23:04 | |
Ryan_Lane | and "let role y decrypt using the key, if AAD has {'to': 'y'}" | 23:04 |
Ryan_Lane | assymetic encryption, using symmetric encryption, basically. | 23:04 |
bknudson | encrypt and decrypt are REST services? | 23:05 |
Ryan_Lane | yes | 23:05 |
*** B_Smith has joined #openstack-security | 23:05 | |
Ryan_Lane | and that service enforces actions based on policy (and AES-GSM's AAD) | 23:05 |
bknudson | I don't know if OpenStack provides an encryption and decryption service? | 23:05 |
Ryan_Lane | barbican | 23:05 |
Ryan_Lane | but I guess that just stores secrets | 23:05 |
bknudson | if there was an encryption and decryption service, then it would be up to that service to implement RBAC. | 23:08 |
bknudson | most openstack services implement rbac. | 23:09 |
Ryan_Lane | yep. in AWS's IAM you define the allowed things a role (or user) is allowed to do, based on the RBAC policies of the services | 23:09 |
Ryan_Lane | I know keystone was looking at that at some point | 23:09 |
bknudson | keystone provides a token that has the roles. the services can use the roles to allow/disallow operations. | 23:10 |
* Ryan_Lane nods | 23:10 | |
*** jhfeng has quit IRC | 23:16 | |
*** diazjf has quit IRC | 23:22 | |
*** dave-mccowan has quit IRC | 23:33 | |
*** winterIsLeaving has quit IRC | 23:38 | |
*** winterIsLeaving has joined #openstack-security | 23:38 | |
*** sigmavirus24_awa is now known as sigmavirus24 | 23:46 | |
Ryan_Lane | didn't write a blog post about this yet, but I just made this repo public: https://github.com/lyft/bandit-high-entropy-string | 23:55 |
tmcpeak | Ryan_Lane: ahh cool | 23:57 |
*** sigmavirus24 is now known as sigmavirus24_awa | 23:59 | |
tmcpeak | this looks awesome | 23:59 |
Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!