Friday, 2016-02-05

« Thursday, 2016-02-04 Index Saturday, 2016-02-06 »
*** dave-mccowan has joined #openstack-security00:11
openstackgerritCharles Neill proposed openstack/syntribos: Adding unittests for datagen  https://review.openstack.org/27651200:18
*** edtubill has quit IRC00:29
*** salv-orl_ has quit IRC00:54
*** ccneill has quit IRC00:57
*** winterIsLeaving has joined #openstack-security01:01
*** winterIsLeaving has quit IRC01:38
*** tmcpeak has quit IRC01:42
*** raginbajin has quit IRC01:42
*** raginbajin has joined #openstack-security01:46
*** edmondsw has quit IRC02:10
*** ccneill has joined #openstack-security02:32
*** ccneill has left #openstack-security02:34
*** browne has quit IRC03:00
*** rtmorgan has quit IRC03:06
*** rtmorgan has joined #openstack-security03:06
*** yuanying_ has joined #openstack-security03:18
*** yuanying has quit IRC03:21
*** browne has joined #openstack-security03:37
*** browne has quit IRC03:38
*** yuanying has joined #openstack-security03:42
*** yuanying_ has quit IRC03:44
*** dave-mccowan has quit IRC04:00
*** localloop127 has joined #openstack-security04:01
*** kenn1 has joined #openstack-security04:05
kenn1hola04:05
*** yuanying has quit IRC04:06
*** yuanying has joined #openstack-security04:07
kenn1bastardooos04:10
kenn1respondan mierdaaaaaa04:10
*** kenn1 has left #openstack-security04:15
*** diazjf has joined #openstack-security04:29
*** diazjf has quit IRC04:30
*** localloop127 has quit IRC05:05
*** salv-orlando has joined #openstack-security05:08
*** salv-orlando has quit IRC05:18
*** agireud has quit IRC05:20
*** agireud has joined #openstack-security05:23
*** yuanying_ has joined #openstack-security06:08
*** yuanying has quit IRC06:11
*** yuanying_ has quit IRC06:13
*** yuanying has joined #openstack-security06:14
*** yuanying has quit IRC06:15
*** yuanying has joined #openstack-security06:28
*** winterIsLeaving has joined #openstack-security07:08
*** salv-orlando has joined #openstack-security08:45
*** salv-orlando has quit IRC08:49
*** salv-orlando has joined #openstack-security09:00
*** openstackgerrit has quit IRC09:17
*** openstackgerrit has joined #openstack-security09:17
*** markvoelker has quit IRC09:20
*** markvoelker has joined #openstack-security10:21
*** markvoelker has quit IRC10:26
*** dave-mccowan has joined #openstack-security10:36
*** salv-orl_ has joined #openstack-security10:39
*** salv-orlando has quit IRC10:42
*** winterIsLeaving has quit IRC10:44
*** dave-mccowan has quit IRC10:58
*** nkinder has joined #openstack-security11:00
*** mirona has quit IRC11:11
openstackgerritvenkatamahesh proposed openstack/security-doc: Fix exact link for home-page  https://review.openstack.org/27669011:24
*** mirona has joined #openstack-security11:25
openstackgerritMerged openstack/anchor: Correct the bandit test dependency  https://review.openstack.org/27641211:47
*** nkinder has quit IRC11:59
*** salv-orl_ has quit IRC12:01
*** markvoelker has joined #openstack-security12:22
*** markvoelker has quit IRC12:27
*** salv-orlando has joined #openstack-security12:29
*** salv-orlando has quit IRC13:13
*** markvoelker has joined #openstack-security13:23
*** samueldmq1 has joined #openstack-security13:24
*** markvoelker_ has joined #openstack-security13:24
*** markvoelker has quit IRC13:24
*** samueldmq1 has quit IRC13:28
*** edmondsw has joined #openstack-security13:34
*** localloop127 has joined #openstack-security13:35
*** nkinder has joined #openstack-security13:50
*** dave-mccowan has joined #openstack-security14:06
*** jmckind has joined #openstack-security14:06
*** salv-orlando has joined #openstack-security14:13
*** agireud has quit IRC14:17
*** agireud has joined #openstack-security14:19
*** salv-orlando has quit IRC14:30
*** mvaldes has joined #openstack-security14:35
*** mvaldes1 has joined #openstack-security14:37
*** mvaldes has quit IRC14:39
*** ninag has joined #openstack-security14:50
*** rtmorgan has quit IRC14:58
*** samueldmq1 has joined #openstack-security15:00
*** edtubill has joined #openstack-security15:03
*** samueldmq1 has quit IRC15:05
*** mvaldes1 has quit IRC15:07
*** jhfeng has joined #openstack-security15:08
*** mvaldes has joined #openstack-security15:10
*** sigmavirus24_awa is now known as sigmavirus2415:10
*** mvaldes has quit IRC15:14
*** dave-mccowan has quit IRC15:17
*** nkinder has quit IRC15:18
*** nkinder has joined #openstack-security15:28
*** dave-mccowan has joined #openstack-security15:32
*** nkinder has quit IRC16:14
openstackgerritGreg Anderson proposed openstack/syntribos: XSS Body Test  https://review.openstack.org/27645816:17
openstackgerritMichael Dong proposed openstack/syntribos: XSS Body Test  https://review.openstack.org/27645816:18
*** timkennedy1 has joined #openstack-security16:32
*** diazjf has joined #openstack-security16:34
*** timkennedy2 has joined #openstack-security16:35
*** timkennedy has quit IRC16:35
*** hyakuhei has joined #openstack-security16:36
*** timkennedy1 has quit IRC16:37
*** bpokorny has joined #openstack-security16:51
elmikosigmavirus24: hey, trying to do some bandit stuff today and i'm getting this http://paste.openstack.org/show/486114/ does that look familiar?16:59
*** mvaldes has joined #openstack-security17:04
sigmavirus24elmiko: that's surprising to be happening on 0.10.117:04
elmikosigmavirus24: yea, not sure what i did. i switched my tox to 2.3.1 and python to 3.4, now it's sad =(17:04
elmikooh well, i think i'll just update to bandit 0.17.3. this seems to be working17:05
*** nkinder has joined #openstack-security17:05
elmikosigmavirus24: thanks!17:05
sigmavirus24elmiko: that's super surprising17:05
elmikohuh, seems to work fine with py2.7.1017:09
elmikooh well, it's such an old version of bandit17:09
*** avarner_ has joined #openstack-security17:10
openstackgerritChristopher J Schaefer proposed openstack/bandit: Moving bandit baseline unit tests  https://review.openstack.org/27683617:10
*** avarner has quit IRC17:14
*** nkinder has quit IRC17:27
*** sigmavirus24 is now known as sigmavirus24_awa17:39
*** ibravo has joined #openstack-security17:41
*** salv-orlando has joined #openstack-security17:55
*** diazjf has quit IRC17:56
*** diazjf has joined #openstack-security18:05
*** ibravo has quit IRC18:14
*** mvaldes has quit IRC18:16
*** diazjf has quit IRC18:24
*** liverpooler has joined #openstack-security18:27
*** liverpoo1er has joined #openstack-security18:28
*** browne has joined #openstack-security18:44
*** jhfeng_ has joined #openstack-security18:47
*** jhfeng has quit IRC18:50
*** localloop127 has quit IRC18:53
*** localloop127 has joined #openstack-security18:56
openstackgerritGreg Anderson proposed openstack/syntribos: XSS Body Test  https://review.openstack.org/27645819:01
openstackgerritMichael Dong proposed openstack/syntribos: XSS Body Test  https://review.openstack.org/27645819:02
*** mvaldes has joined #openstack-security19:09
*** jhfeng_ has quit IRC19:09
*** mvaldes1 has joined #openstack-security19:10
*** mvaldes has quit IRC19:13
*** sigmavirus24_awa is now known as sigmavirus2419:14
*** localloop127 has quit IRC19:18
*** localloop127 has joined #openstack-security19:21
*** salv-orlando has quit IRC19:24
*** hyakuhei has quit IRC19:40
*** avarner_ has quit IRC19:44
openstackgerritChristopher J Schaefer proposed openstack/bandit: Added cli.main unit tests  https://review.openstack.org/27688919:45
*** sigmavirus24 is now known as sigmavirus24_awa19:52
*** diazjf has joined #openstack-security19:58
*** agireud has quit IRC20:00
*** agireud has joined #openstack-security20:02
*** dave-mccowan has quit IRC20:14
*** jhfeng has joined #openstack-security20:19
*** localloop127 has quit IRC20:20
*** salv-orlando has joined #openstack-security20:24
*** avarner has joined #openstack-security20:27
*** diazjf has quit IRC20:35
*** dave-mccowan has joined #openstack-security20:37
*** diazjf has joined #openstack-security20:40
*** diazjf has quit IRC20:40
*** diazjf has joined #openstack-security20:41
*** jmckind has quit IRC20:50
*** localloop127 has joined #openstack-security20:51
*** hyakuhei has joined #openstack-security20:52
*** hyakuhei has quit IRC20:56
*** hyakuhei has joined #openstack-security21:02
*** hyakuhei has quit IRC21:05
*** ahilsinhas has joined #openstack-security21:09
*** winterIsLeaving has joined #openstack-security21:11
*** jhfeng has quit IRC21:12
*** mvaldes1 has quit IRC21:15
*** diazjf has quit IRC21:42
*** localloop127 has quit IRC21:43
*** jhfeng has joined #openstack-security22:01
*** ibravo has joined #openstack-security22:35
*** salv-orl_ has joined #openstack-security22:40
*** salv-orlando has quit IRC22:43
*** ninag has quit IRC22:44
ahilsinhashello - i have a question regarding public endpoints. i've attempted the cryptographic separation of internal and external environments and the public endpoint is on a physically isolated network from internal/admin endpoints. if i pass the os-interface public argument from a public remote client everything works, however without it it leaks my internal endpoint. im wondering if this is a problem that im causing or a problem22:51
ahilsinhastoken issue seems to work without specifying the os-interface option, however any other command without will yeild an error for keystone:3535722:53
elmikoahilsinhas: could you describe a little more about how it is leaking?22:54
elmiko(for example, what command are you running?)22:54
ahilsinhaselmiko: absolutely!22:54
ahilsinhasservice list, endpoint-list, set password (2 of those should return a 403 for this user and do with the option set)22:55
ahilsinhasit appears without the option right after the token issue the remote client using public endpoints tries to use an admin endpoint22:55
elmikois this using the openstack common cli tool?22:55
ahilsinhasyes22:55
ahilsinhasv 1.7.022:56
elmikointeresting22:56
ahilsinhasand leaks the admin endpoint ;p22:56
ahilsinhasnow this could be totally because of my configuration and probably is22:56
elmikoyou may want to ask around in #openstack-sdks, it's possible you've found a bug22:56
ahilsinhasit felt kinda like one22:56
elmikoalso, do you have any environment variables or config files that may be affecting the endpoint option when you do not specify it?22:57
ahilsinhasyou know i might22:57
elmiko(i'm not sure what the default it22:57
ahilsinhasill check22:57
ahilsinhashaha i do22:58
elmiko;)22:58
ahilsinhasactually false alarm22:58
ahilsinhasthey all us the OOS prefix22:58
elmikook, so it really *is* failing with the leakage?22:59
ahilsinhasya22:59
elmikoso yea, next step would be either to ask in openstack-sdks, or report a bug to the openstackclient launchpad22:59
ahilsinhasok22:59
elmikoyou may have uncovered something that was not intended, and it sounds fairly reproduceable23:00
ahilsinhasi am concerned that perhaps i set up my public/private endpoints wrong23:00
*** ibravo has quit IRC23:00
elmikothat's possible too23:00
ahilsinhasparticularly their references in keystone.conf23:00
elmikodo you have them setup in the service catalog endpoint list properly?23:00
ahilsinhasya i think the error should be repeatable and i can write it up23:00
openstackgerritMerged openstack/bandit: Moving bandit baseline unit tests  https://review.openstack.org/27683623:01
ahilsinhasendpoints are set up appropriately i refer to internal/admin endpoints via hostname23:01
elmikogreat, i know there is some confusion around the ways that public/internal/admin interfaces are used. so it may be something common23:01
ahilsinhaswhich has entries in /etc/hosts per the ubuntu install guide23:01
ahilsinhasya it is a bit confusing23:01
ahilsinhasbut i *think* i got it right23:01
elmikoagreed23:01
ahilsinhaspublic endpoint is a domain with dns entries to public ip23:02
ahilsinhasonly port 5000 is exposed23:02
ahilsinhasfor now23:02
elmikothen yea, maybe just report a bug or ask the sdks guys. although, it might be kinda quiet in there given its late on friday u.s. time23:02
ahilsinhasi will for sure23:02
ahilsinhasi suppose i can be happy that everything works when i pass the option23:02
elmikoso, you are saying that when you try to `openstack token issue` without specifying the os-endpoint, then you see it try to hit the adminURL ?23:03
ahilsinhasooo good question23:03
ahilsinhasi believe for token23:03
ahilsinhasit is 100% port 5000 public23:03
elmikook, cool23:03
ahilsinhasbut token always happens for everything right?23:03
elmikoyea23:03
ahilsinhasso for any other command token goes OK and then it tries private endpoints unless i specify the option23:04
ahilsinhasso i do have one specific question23:04
elmikohmm23:04
elmikosure23:04
ahilsinhasthese things all only started to work when i set admin_endpoint and public_endpoint in keystone.conf23:04
* elmiko digs out his keystone.conf23:05
ahilsinhasto hostname:35357 and publicurl:5000 respectively23:05
ahilsinhas;p23:05
elmikoand that controller is serving both hostname and publicurl?23:07
ahilsinhasoo i also have auth_uri twice, once with public and private23:07
ahilsinhasyes unfortunately for now23:07
elmikoauth_uri in your keystone.conf?23:07
ahilsinhasyes23:07
ahilsinhasthose iirc had no real impact23:08
ahilsinhason things working or not23:08
elmikohmm, yea. i don't understand auth_uri inside keystone.conf23:08
ahilsinhasi took it from the gentoo-openstack guy's blog when he was talking about ssl keystone ;p23:08
elmikodoes that keystone controller talk to another keystone or a kerb or something?23:08
elmiko:q23:09
elmikomt23:09
ahilsinhasoh my ill have to change that anyway - im actually planning on using oidc for auth so maybe that setting has to do with federation?23:09
ahilsinhasanyway i think that might be a red herring23:09
elmikoi would think so, usually auth_url instructs the keystone middleware on where it can make identity requests23:10
ahilsinhasthe question is how do you properly refer to public and private endpoints within keystone.conf itself?23:10
elmikoyea, probably23:10
elmikoi think you have it correct by specifying the public_endpoint admin_endpoint23:10
ahilsinhasthose were my thoughts23:10
ahilsinhasagreed then it very well may be leaking23:10
elmikoand put them on separate IPs or whatever23:11
ahilsinhasthey are23:11
elmikotrying to look at the openstackclient source now23:11
ahilsinhasthe public ip cant even route to the private one23:11
ahilsinhasditto23:11
ahilsinhasi can give you the exception23:11
ahilsinhashold on23:11
ahilsinhaswell that might not help23:11
ahilsinhasit will with full trace perhaps23:12
*** edmondsw has quit IRC23:13
ahilsinhaselmiko: http://pastebin.com/arHUMFjw23:13
ahilsinhasha shit my home is in there23:14
ahilsinhas;p23:14
elmikohuh, i wonder if it just tries admin as a backup?23:15
ahilsinhaswhat file(s) were you thinking relevant in the client?23:16
elmikonot sure, i'm trying to figure out where it grabs the --os-endpoint option from23:17
ahilsinhasoo good idea23:17
elmikoi thought it was os-client-config23:17
ahilsinhasim looking at service catalog generation23:18
ahilsinhasself.app.client_manager.identity.services.list()23:18
ahilsinhasso im guessing service "Type" is public/internal/admin23:20
ahilsinhaswhat is the name of an endpoint?23:20
elmikoi would think so, but i haven't played around with that option on the cli23:20
elmikowell, i guess regardless of the option, it shouldn't be leaking those details23:22
ahilsinhasyes definitely23:22
ahilsinhaswhich is why i came here ;p23:22
ahilsinhasill go to sdk and keep plugging along with the deployment and see if i come across any other issues23:23
ahilsinhastricky cause im never sure if its me that is the problem ;p23:23
elmikogood luck, sorry i couldn't be of more help :/23:23
elmikototally23:23
ahilsinhaselmiko: you were totally helpful23:23
ahilsinhasthank you so much23:23
elmikonp =)23:23
ahilsinhasconfirming that im generally doing public/internal/admin right was a load off23:24
elmikoi *think* you are, but there are probably more details here that need to be exposed23:24
ahilsinhasya i think creating a bug is perhaps sensible23:24
ahilsinhasi wish i could have someone reproduce23:25
*** ninag has joined #openstack-security23:25
*** ninag has quit IRC23:25
*** edtubill has quit IRC23:26
*** jhfeng has quit IRC23:33
« Thursday, 2016-02-04 Index Saturday, 2016-02-06 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!