#opendaylight-meeting: OpenDaylight Security Alaysis Team, second meeting
Meeting started by icbts at 15:32:10 UTC
(full logs).
Meeting summary
-
- https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis
(icbts,
15:32:58)
- Original document and disccussion from first
meeting consolidated into team wiki page (icbts,
15:34:37)
- ACTION: build upon
Bundle/Application Security section - research bundle authorization
in OSGi (icbts,
15:38:45)
- RBAC for lifecycle operations vs perms for
bundle wiring (icbts,
15:39:32)
- bundle signatures? (icbts,
15:40:25)
- At load time bundle signature
verification (icbts,
15:40:52)
- At runtime authorization to bundles
(icbts,
15:41:04)
- Certificate to run bundles — ?? (icbts,
15:41:22)
- gpg signatures for bundles (icbts,
15:43:21)
- We need to refine GPG signature vs
certificates (icbts,
15:43:43)
- example: Apache uses GPG signatures to validate
that bundles are from the community (icbts,
15:44:27)
- KEYS file contain public keys for user to
validate bundles come from the community (icbts,
15:44:53)
- Would a certifcate be a viable
mechanism? (icbts,
15:45:30)
- how to ensure that third parties can make vaild
certs/signatures? (icbts,
15:46:01)
- Whom signs OpenDaylight releases? (icbts,
15:46:36)
- Current status - nothing is being signed
(icbts,
15:46:49)
- ACTION: out line some
usage paramaters for signing releases (icbts,
15:47:10)
- foundation has cert? developers? Whom holds the
keys? (icbts,
15:48:34)
- TSC / Committers / Release Manager?
(icbts,
15:48:47)
- new topic: Export restrictions?? (icbts,
15:49:31)
- OpenDaylight Controllers PLugin Security
(icbts,
15:51:29)
- General recommendation for the plugins is as
follows 1:: DDoS attack protection on plugin expose ports 2::
Utilize a common crypto key storage 3:: Support a pluggable or
built-in certificate authority (icbts,
15:51:55)
- are there more recommendations? (icbts,
15:52:05)
- ACTION: add
recommendations to plugin section (icbts,
15:53:15)
- How do we interact with other projects to
communicate recommendations? (icbts,
15:53:36)
- TSC discussion for how recommendations to be
shared (icbts,
15:53:56)
- https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Authorization_of_External_Users
(icbts,
15:55:00)
- RBAC for external users? (icbts,
15:55:27)
- recommendations for external users 1:: Access
protocol authorization: e.g. a user can only access via HTTPS 2::
Resource Authorization: e.g. what data in the URI tree can the user
config/view 3:: Logging access/authorization: useful for incident
response analysis. (icbts,
15:56:02)
- Discussion on #2 (icbts,
15:57:07)
- Root Admin, admins of certain parts of
controller (icbts,
15:57:36)
- Full vs partial access (icbts,
15:57:45)
- Role Based Access Control (icbts,
15:57:56)
- do all users have access to certain
functions? (icbts,
15:58:36)
- Resources vs Services? (icbts,
15:58:49)
- can you make configurations? Which devices
? (icbts,
15:59:14)
- Resources/Services authorization (icbts,
15:59:40)
- https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Device.2FForwarding_Elements_BootStrap.2C_Authentication_and_Authorization
(icbts,
16:00:08)
- Discovery of ODL controller and devices
(icbts,
16:00:23)
- Back tracking …. Susanta: tenant isolation in
Controller? (icbts,
16:00:55)
- Any tenant level roles? (icbts,
16:01:06)
- Super User for ACME ? (icbts,
16:01:30)
- Returning to Bootstrap topic (icbts,
16:04:16)
- controller vs device (icbts,
16:08:32)
- https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Controller_Availability.2FClustering_and_Security
(icbts,
16:09:15)
- no updates (icbts,
16:09:19)
- Discussion of infinispan (icbts,
16:09:57)
- Susanta leading discussion of current ODL
controller clustering (icbts,
16:10:36)
- people do unexpected things … more research
required (icbts,
16:17:11)
- https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Overall_Recommendations
(icbts,
16:17:39)
- ACTION: on going
discussion of security (icbts,
16:18:08)
- review of highlevel recommendations
(icbts,
16:18:51)
- phone bridge issues encountered :S (icbts,
16:23:50)
- application isolation (icbts,
16:28:15)
- sandboxing (icbts,
16:28:40)
- see
https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#Bundle.2FApplication_Security
(icbts,
16:28:59)
- for more on sandboxing issues (icbts,
16:29:07)
- should we capture everyone’s ID whom is working
on Security? (icbts,
16:31:21)
- https://wiki.opendaylight.org/view/CrossProject:OpenDaylight_Security_Analysis#References
(icbts,
16:32:28)
- looking for link to article (icbts,
16:32:36)
- Comments?? (icbts,
16:33:19)
- role based actor? (icbts,
16:40:25)
- attributes vs user (icbts,
16:40:42)
- plan for a week to research then present to
TSC (icbts,
16:41:41)
Meeting ended at 16:42:03 UTC
(full logs).
Action items
- build upon Bundle/Application Security section - research bundle authorization in OSGi
- out line some usage paramaters for signing releases
- add recommendations to plugin section
- on going discussion of security
People present (lines said)
- icbts (69)
- odl_meetbot (5)
- Madhu (2)
- Meenakshi_ (0)
Generated by MeetBot 0.1.4.