Perl 6 - the future is here, just unevenly distributed

IRC log for #confidant, 2016-04-11

| Channels | #confidant index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
00:27 woodrow hey werfgf, if/when you come back and there’s no one here, ask your question anyway and we’ll respond when we see it.
01:48 ilbot3 joined #confidant
01:48 Topic for #confidant is now Secret management for AWS. https://lyft.github.io/confidant Channel logs at http://irclog.perlgeek.de/confidant/
15:19 RandyT joined #confidant
20:36 daMaestro joined #confidant
20:37 daMaestro afternoon. I'm reviewing the use of redis and it seems that it's only used in context of the flask app sessions. is that the case?
20:37 daMaestro 1) is there anything of security consequence stored there?
20:37 daMaestro 2) does it need to be shared when running HA?
20:39 daMaestro 3) why not use something stateless like JWT or flask-login (though it looks like flask-login would still need a backend session store)
20:42 daMaestro it *looks* like only the user's email from google is stored in the session, which could be stored safely in a jwt and use a stateless session component for flask itself once authorization happens
20:42 daMaestro but i've not done a deepdive on this yet
20:44 daMaestro ah, looks like you guys are already going down this path: https://github.com/lyft/confidant/issues/12
20:56 daMaestro a quick tests shows it likely does need to be centralized when running HA without using sticky sessions (yeah, don't use those)
23:32 woodrow daMaestro: yeah, the redis-for-sessions is a lyft legacy thing
23:32 woodrow we’ve been doing some work to drop it as a dependency
23:33 woodrow it should land in the next release but i don’t know when that’s going to be
23:34 woodrow hopefully in a month or so?
23:34 daMaestro woodrow, thanks for confirming. i think i'm going to hold off deploying anything non-poc until that requirement is removed
23:34 daMaestro it would suck to have to run an elasticache cluster *just* for this
23:34 woodrow agreed
23:34 daMaestro we've got a decently automated elasticbeanstalk "push button" working right now
23:35 daMaestro it's really nice to be able to launch a password safe super simply, unfortunately still managing access to the web ui via branches and different user acl lists... but that saml work would be sweet to address that
23:36 daMaestro i'm also going to see if the google plus api gives back group members ships or not, might be able to do a quick PR to use that as an ACL vs user lists
23:36 daMaestro at least that way we don't have to deploy a new docker layer to apply a new acl list
23:37 woodrow daMaestro: it doesn’t unfortunately
23:37 woodrow (though i’d be happy to be proven wrong)
23:37 daMaestro sigh google. why.
23:37 daMaestro naw, it makes sense to me. it's not their gapps account API, it's their wannabesocial api
23:37 woodrow google apps for business does SAML but doesn’t support this either
23:37 daMaestro i wouldn't expose internal gapps group memberships there either
23:38 woodrow so afaik most people solve this by either having the web app hit the groups api directly
23:38 woodrow or having an IdP between google and the SP/relying party that merges group info into its assertions
23:39 daMaestro yeah, i'm tracking the ipsilon work pretty closely
23:39 daMaestro would be great to put that ontop of our realm for stuff like this
23:39 daMaestro https://fedorahosted.org/ipsilon/
23:45 daMaestro we are both looking for a better way to manage secrets (we do it in cfg management encrypted files at this point) and to replace/centralize our use of password safes
23:45 daMaestro we have teams ranging from local text files through to elaborate quadrupal encryption version controlled madness, and really just need a standardized way to collaborate on secrets
23:46 daMaestro retrieving them programatically is lower on the list
23:46 daMaestro and since confidant is so tied to AWS, it doesn't serve all of our needs on the programatic retrieval

| Channels | #confidant index | Today | | Search | Google Search | Plain-Text | summary